search

TryGhost / Ghost

Independent technology for modern publishing, memberships, subscriptions and newsletters.
https://ghost.org
MIT License
47.4k stars 10.35k forks source link

Feature: Security Scans like SAST, DAST, FOSS, CAST in pipeline #19340

Closed btme0011 closed 9 months ago

btme0011 commented 10 months ago

Issue Summary

In the build process, all the security scans like SAST DAST FOSS and CAST should be performed to deliver a safer product.

While making Ghost safer and a product of a higher quality it opens up the possibility for many MNC's to adopt the product and thereby increasing the impact and reach of the same.

1) Secret Detection - Gitleaks https://github.com/gitleaks/gitleaks good usability - multiple running options and config file 2) Dependency Check - OSV by Google https://osv.dev/ good usability - JSON output and multiple options good accuracy - OSV database from google and support for multiple languages including PHP 3) Infrastructure Misconfiguration - KICS https://www.kics.io/ good usability - multiple file types and powerful queries good accuracy - nightly builds 4) Container Scanning - Trivy https://trivy.dev/ good usability - easy to configure good accuracy - can detect multiple OS packages 5) Runtime Scanning - ZAP https://owasp.org/www-project-zap/ good usability - has a docker image and UI and is very extendable good accuracy - numersous features including sql injection fuzzing, broken access, XSS

Steps to Reproduce

N/A

Ghost Version

5.74.0

Node.js Version

version in docker image

How did you install Ghost?

docker compose

Database type

MySQL 5.7

Browser & OS version

No response

Relevant log / error output

No response

Code of Conduct

daniellockyer commented 9 months ago

Thanks for the tips - we track bugs in this repo so I'm going to close this for now. We do utilize a number of security scanners already but I'll keep this in mind in the future 🙂