Closed stan-dot closed 3 months ago
comments on the 'potential tools' section
codeql is github official, investigating it locally
the last two, lunatrace and sonarcloud will be discussed with a core team member
sonarcloud is great - used here https://sonarcloud.io/project/issues?issueStatuses=OPEN%2CCONFIRMED&id=stan-dot_dls-web-uis&open=AZEscbpEwoeogG8g31Ii
lunatrace failed to load fo rthe repo
codeql is also good
note: now this moves to a phase to set up codeql - with a github workflow - and sonarcloud specifically for this repo. Though the sonarcloud could be org-wide more easily, as it has been tested.
Will make a new issue as the testing phase has finished
security
general links
https://dlsltd.sharepoint.com/:p:/r/sites/SSCC-OPN/_layouts/15/Doc.aspx?sourcedoc=%7B028A0A34-4E6C-4A62-B13D-0CEBB4663CE6%7D&file=DAQ%20Away%20Day%202024%20-%20Security.pptx&action=edit&mobileredirect=true https://medium.com/coderbyte/performing-a-security-audit-for-your-github-repository-9fb32eb438a
tools we could use
can run locally - best in a container on a cron job https://github.com/cve-search/cve-search
those that integrate with github - test out
https://github.com/apps/sonarcloud https://codeql.github.com/ https://github.com/lunasec-io/lunasec https://github.com/marketplace/lunatrace-by-lunasec/plan/MLP_kgDNHPQ#plan-7412
already in place
https://github.com/stackrox/stackrox https://argus-stackrox.diamond.ac.uk/main/dashboard https://docs.github.com/en/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories
rejected
too expensive https://www.mend.io/pricing/ expensive https://snyk.io/
already the github stuff is better https://www.gitguardian.com/