Scan bespoke code for vulnerabilities

[mogul]

User Story

In order to meet compliance requirements, the data.gov team wants all pull-requests scanned for vulnerabilities in introduced code.

Acceptance Criteria

[ACs should be clearly demoable/verifiable whenever possible. Try specifying them using BDD.]

• [ ] GIVEN you are in a data.gov python repository looking at a recent PR \ WHEN you look in the "Checks" tab \ THEN a code scanning workflow has been run on the PR \ AND the results are visible on the PR
• [ ] GIVEN you are in a data.gov php repository looking at a recent PR \ WHEN you look in the "Checks" tab \ THEN a code scanning workflow has been run on the PR \ AND the results are visible on the PR

Background

[Any helpful contextual notes or links to artifacts/evidence, if needed] See section 10.7.4 in the data.gov SSP. It's not clear if we'll be required to resolve this gap before we can get an ATO for data.gov on cloud.gov.

It's possible TTS Tech Portfolio is already doing this for us (except PHP)! The BYS guide also mentions this. We need to confirm that's already happening.

Security Considerations (required)

[Any security concerns that might be implicated in the change. "None" is OK, just be explicit here!]

Sketch

[Notes or a checklist reflecting our understanding of the selected approach]

Add a GitHub Action that does scanning (eg using git-xargs)

• [ ] For Python and Javscript, turn on GitHub's native scanning tools (example for catalog here)
• [ ] For PHP, find a decent tool and then incorporate it into GitHub Actions with the "cron+file issue" pattern

[adborden]

FYI, @JJediny suggested Trivy which is a vulnerability scanner that supports container images, filesystems, and git repositories.

[jbrown-xentity]

First attempt at https://github.com/GSA/catalog.data.gov/pull/275, but needs more analysis/documentation before going live.