DiamondLightSource / squid

A repo for UI library developments
Apache License 2.0
0 stars 0 forks source link

Test out security tools #1

Closed stan-dot closed 3 months ago

stan-dot commented 4 months ago

security

general links

https://dlsltd.sharepoint.com/:p:/r/sites/SSCC-OPN/_layouts/15/Doc.aspx?sourcedoc=%7B028A0A34-4E6C-4A62-B13D-0CEBB4663CE6%7D&file=DAQ%20Away%20Day%202024%20-%20Security.pptx&action=edit&mobileredirect=true https://medium.com/coderbyte/performing-a-security-audit-for-your-github-repository-9fb32eb438a

tools we could use

can run locally - best in a container on a cron job https://github.com/cve-search/cve-search

those that integrate with github - test out

https://github.com/apps/sonarcloud https://codeql.github.com/ https://github.com/lunasec-io/lunasec https://github.com/marketplace/lunatrace-by-lunasec/plan/MLP_kgDNHPQ#plan-7412

already in place

https://github.com/stackrox/stackrox https://argus-stackrox.diamond.ac.uk/main/dashboard https://docs.github.com/en/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories

rejected

too expensive https://www.mend.io/pricing/ expensive https://snyk.io/

already the github stuff is better https://www.gitguardian.com/

stan-dot commented 3 months ago

comments on the 'potential tools' section

codeql is github official, investigating it locally

the last two, lunatrace and sonarcloud will be discussed with a core team member

stan-dot commented 3 months ago

sonarcloud is great - used here https://sonarcloud.io/project/issues?issueStatuses=OPEN%2CCONFIRMED&id=stan-dot_dls-web-uis&open=AZEscbpEwoeogG8g31Ii

lunatrace failed to load fo rthe repo

codeql is also good

stan-dot commented 3 months ago

note: now this moves to a phase to set up codeql - with a github workflow - and sonarcloud specifically for this repo. Though the sonarcloud could be org-wide more easily, as it has been tested.

Will make a new issue as the testing phase has finished