Open daniel-ac-martin opened 2 years ago
It looks like SLScan might do everything aside from DAST. So the solution might just be SLScan + ZAP.
Looks like SLScan doesn't actually do proper SAST on Type/JavaScript.
Sounds like it used to do it with njsscan. I've asked whether they will do it again in the future: https://github.com/ShiftLeftSecurity/sast-scan/issues/367
Looks like SLScan is deprecated: https://github.com/ShiftLeftSecurity/sast-scan/issues/352 But it might still be the best open-source option. (When combined with a separate SAST tool for TypeScript.)
CodeQL looks good for most of the static side. (Besides dependencies.) Possibly, we could use Snyk for dependencies with https://www.npmjs.com/package/snyk-pnpm-deptree-api-tool Zap is probably good for dynamic/DAST but we need to find a way to stand-up a copy of the app in CI.
OWASP dependency check supports SARIF output and so might fit well with CodeQL.
Perhaps we should replace SLScan with https://github.com/marketplace/actions/dependency-check ? It seems to be lighter weight and should integrate with GitHub via SARIF output. (Snyk might be another option but depends on a SaaS account.)
Can we use ZAP's API scanner?: https://github.com/zaproxy/action-api-scan
Can we scan Docker images with Trivy?: https://www.aquasec.com/products/trivy/
Trivy in GitHub Actions: https://blog.aquasec.com/trivy-github-actions-security-cicd-pipeline
@daniel-ac-martin I am working on a proper OSS SAST tool for javascript/typescript that is powered by joern. Will get in touch with you as soon as it's ready.
It would be nice to have some sort of security scanning functionality in CI to try to catch any security problems.
SCA / Dependency scanning
latest
tag?SAST
DAST
Perhaps with ZAP?
Could like at this: https://github.com/marketplace/actions/owasp-zap-full-scan Also: https://github.com/marketplace/actions/owasp-zap-baseline-scan (But it might be better to have a way to run it locally as well.)
For APIs (inc. GraphQL) perhaps we should consider: https://github.com/zaproxy/action-api-scan
See also: