Test out security tools

[stan-dot]

security

general links

https://dlsltd.sharepoint.com/:p:/r/sites/SSCC-OPN/_layouts/15/Doc.aspx?sourcedoc=%7B028A0A34-4E6C-4A62-B13D-0CEBB4663CE6%7D&file=DAQ%20Away%20Day%202024%20-%20Security.pptx&action=edit&mobileredirect=true https://medium.com/coderbyte/performing-a-security-audit-for-your-github-repository-9fb32eb438a

tools we could use

can run locally - best in a container on a cron job https://github.com/cve-search/cve-search

those that integrate with github - test out

https://github.com/apps/sonarcloud https://codeql.github.com/ https://github.com/lunasec-io/lunasec https://github.com/marketplace/lunatrace-by-lunasec/plan/MLP_kgDNHPQ#plan-7412

already in place

https://github.com/stackrox/stackrox https://argus-stackrox.diamond.ac.uk/main/dashboard https://docs.github.com/en/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories

rejected

too expensive https://www.mend.io/pricing/ expensive https://snyk.io/

already the github stuff is better https://www.gitguardian.com/

[stan-dot]

comments on the 'potential tools' section

• https://github.com/cve-search/cve-search that is for investigating the database of common vulnerabilities through a local mongodb. not repository-level and would need extra setup

codeql is github official, investigating it locally

the last two, lunatrace and sonarcloud will be discussed with a core team member

[stan-dot]

sonarcloud is great - used here https://sonarcloud.io/project/issues?issueStatuses=OPEN%2CCONFIRMED&id=stan-dot_dls-web-uis&open=AZEscbpEwoeogG8g31Ii

lunatrace failed to load fo rthe repo

codeql is also good

[stan-dot]

note: now this moves to a phase to set up codeql - with a github workflow - and sonarcloud specifically for this repo. Though the sonarcloud could be org-wide more easily, as it has been tested.

Will make a new issue as the testing phase has finished