-
As containers 'age' in production existing mechanisms for container scanning during the publishing phase may not help us. Particularly for projects with containers which are not being actively develo…
-
SNYK
https://docs.snyk.io/products/snyk-code/cli-for-snyk-code/working-with-the-snyk-code-cli-results/exporting-the-test-results-to-a-json-or-sarif-file
TRIVY
https://aquasecurity.github.io/tri…
-
Snyk is enabled in the CI pipeline. To make it easier for ourselves to execute the scans locally, we should add the cli tool from snyk.
-
## Overview
Snyk Open Source allows you to easily find, prioritize and fix vulnerabilities in the open source libraries used in your cloud native applications.
## Summary of results
### Upgradeabl…
-
This package depends on [glob-all](https://github.com/jpillora/node-glob-all) which (although not officially) appears to be abandoned. This is a concern as some of it's dependencies (well dependency o…
-
### Proposal
We run prometheus in our FedRAMP environment and use various container scanning tools like ECR, trivy/clair, and snyk to scan containers for vulnerabilities. These tools have trouble or …
-
Problem
We see some dependencies that are considered as vulnerable by both Snyk and White-source scanning. I found out about this because our organization does the scanning after we clone the repo. K…
-
## Description
While we use snyk for the nightly dependency security scan, we also use use https://owasp.org/www-project-dependency-check/ during release for updating the release notes.
The OWAS…
-
### Issue
We are currently attempting to utilize this action to scan and test our pnpm project, however, we are running into the following issue:
```bash
Error: Error: Error: package.json not …
-
### Pitch
It would be great if you could fulfill the steps to be accepted as 'official image' on DockerHub:
https://github.com/docker-library/official-images#contributing-to-the-standard-libra…