search

NASA-AMMOS / slim

Software Lifecycle Improvement & Modernization
https://nasa-ammos.github.io/slim/
Apache License 2.0
27 stars 9 forks source link

Guide on Code Security Scanning #148

Open ingyhere opened 8 months ago

ingyhere commented 8 months ago

Purpose

riverma commented 8 months ago

@ingyhere - just a note, adding labels for the type of SLIM best practice category each PR applies to (i.e. governance, software lifecycle, information sharing) helps to make future release notes more readable. See information about categories here.

Also - adding the SLIM Project Board in the PR right hand menu, and tagging the status as well as the iteration helps people understand the time line for the PR.

ingyhere commented 7 months ago

@ingyhere - just a note, adding labels for the type of SLIM best practice category each PR applies ...

Also - adding the SLIM Project Board in the PR right hand menu, and tagging the status ...

Done

nutjob4life commented 6 months ago

@jpl-jengelke, quick favor: when this moves out of "draft" state, could you ping me @nutjob4life? I tend to mute draft PRS both logically and mentally 😇 Nevermind, I saw it go out of draft "live" during the tag-up meeting on 2024-05-02

ingyhere commented 5 months ago

Superbly written guide with a great cadence and feel as well as utility. Should make SCRUB a much easier pill to swallow. Bravo! 🎉

Unfortunately as things go ... I see some areas for improvement. But I will make changes and ask for re-review.

jl-0 commented 4 months ago

It would be helpful to get an example of how to use sonarCloud and sonarQube in the action to align with updated guidance from NASA MGSS. Some of this work my already have been performed by Elyssa but it would be good to have it documented here as well.

riverma commented 4 months ago

It would be helpful to get an example of how to use sonarCloud and sonarQube in the action to align with updated guidance from NASA MGSS. Some of this work my already have been performed by Elyssa but it would be good to have it documented here as well.

Just to clarify - @jl-0 you're talking about the Enterprise versions for each? Not the community open source license ones? e.g. https://www.sonarsource.com/plans-and-pricing/

jpl-jengelke commented 1 month ago

FYI, I've got an "experience report" when it comes to using Grype for container image scanning, and over in PDS we ran into an issue with multiplatform images inside of a GitHub Actions workflow.

@nutjob4life I'll contact you shortly to get clarification on the comments. Thanks.