Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using static security analysis tool? #42

Open
jean-michelet opened this issue Oct 22, 2024 · 8 comments · May be fixed by #47
Open

Using static security analysis tool? #42

jean-michelet opened this issue Oct 22, 2024 · 8 comments · May be fixed by #47
Labels
question Further information is requested

Comments

@jean-michelet
Copy link
Contributor

jean-michelet commented Oct 22, 2024
edited
Loading

Maybe we should use Snyk or another tool to look at the source code during CI (and to run locally).
@jean-michelet jean-michelet added good first issue Good for newcomers question Further information is requested and removed question Further information is requested good first issue Good for newcomers labels Oct 22, 2024
@jean-michelet jean-michelet changed the title Using static security analysis tool Using static security analysis tool? Oct 22, 2024
@mcollina
Copy link
Member

Agreed.

@fernan-x
Copy link

Do you already use another security analysis tool within the ecosystem ?

You mention Snyk, but there is also OWASP Dependency-Check or Sonar Cube community edition.

I'll be happy to help integrate one of them. Or help to dig into the differences between them to help taking a decision.

@jean-michelet
Copy link
Contributor Author

Or help to dig into the differences between them to help taking a decision.

Go ahead 👍

Checking dependencies with vulnerabilities is good, detect insecure patterns trough static code analysis is good too.

@lirantal
Copy link

Jumping in to clarify that Snyk scans both dependencies as well as first-party code (static analysis)

@gurgunday
Copy link
Member

Jumping in to clarify that Snyk scans both dependencies as well as first-party code (static analysis)

Nice!

@jean-michelet
Copy link
Contributor Author

Do you want to work integrating Snyk @fernan-x?

@fernan-x
Copy link

Sure, I have some free time tomorrow.

@Heyner128 Heyner128 linked a pull request Oct 27, 2024 that will close this issue
Open
4 tasks
@nvuillam
Copy link

nvuillam commented Nov 3, 2024

You should have a look at megalinter :)

https://megalinter.io/latest/

100% free and open-source :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Add SonarQube scan to CI workflow Heyner128/demo-fastify
6 participants
@mcollina @lirantal @nvuillam @fernan-x @gurgunday @jean-michelet