Closed carjug closed 3 years ago
Moved over the dependency scanning and static analysis rows from #35.
Also added a new line for application scanning, this is the category that OWASP ZAP would fall into. Here's how I would think about the different kinds of tools:
Sounds good to me, Alex! Thanks for moving things over.
☝️ All 3 engineers have already started adding ideas here async, so I'm going to move this from TODO to In Progress!
We can learn from the TANF Data Portal project here.
They started off with Snyk but then moved to GitHub Native Dependabot.
The team wrote about their reasons why in an ADR!
... however, it looks like GitHub Native Dependabot isn't quite ready for Enterprise yet: https://github.com/dependabot/dependabot-core/issues/2149
... but I do see TTA SmartHub using it via the HHS GitHub org! So looks like it's likely available after all! https://github.com/HHS/Head-Start-TTADP/pull/487
Using GitHub-provided Dependabot and GitHub-provided CodeQL would simplify the compliance. (See discussion over in #55, https://github.com/18F/OPRE-Unicorn/issues/55#issuecomment-881065543.) Also, CodeQL is getting some rave reviews over in Slack and catching security bugs that weren't caught by other layers of tooling/review.
I'm all for using the GitHub-provided services given the simplicity of keeping things all in one place and also the fact that people are loving 💓
It looks like Snyk does have more functionalities than Dependabot. Dependabot mostly focus on dependencies, but Snyk also scan the code for other types of security issues. The question would be, can other tools we are using here also can fill in those functions?
@amymok CodeQL can fill in the static analysis code-scanning piece!
@amymok @carjug Do we have consensus that GitHub Dependabot and GitHub CodeQL will be our preferred third-party tools, or are there questions/concerns we want to discuss at next week's eng cowork? Either way is OK with me
Dependabot and CodeQL are good with me :) open to either as well though.
I don't have any concerns. I am good with Dependabot and CodeQL. I am assuming we also have the consensus on OWASP Zap? Do we need to check compliance or anything on that?
@amymok OWASP ZAP gets pulled in as a Docker image, as opposed to being a third-party external service that we integrate with. So kind of similarly to flake8 or coverage.py, I'd treat it as a library we're using, not an external service we need to get compliance sign-off on.
I'll pick this one up since we finished out the ADR for CI/CD
We want to decide on security tools that we can integrate into our development and continuous integration processes.