Using static security analysis tool?

[jean-michelet]

Maybe we should use Snyk or another tool to look at the source code during CI (and to run locally).

[mcollina]

Agreed.

[fernan-x]

Do you already use another security analysis tool within the ecosystem ?

You mention Snyk, but there is also OWASP Dependency-Check or Sonar Cube community edition.

I'll be happy to help integrate one of them. Or help to dig into the differences between them to help taking a decision.

[jean-michelet]

Or help to dig into the differences between them to help taking a decision.

Go ahead 👍

Checking dependencies with vulnerabilities is good, detect insecure patterns trough static code analysis is good too.

[lirantal]

Jumping in to clarify that Snyk scans both dependencies as well as first-party code (static analysis)

[gurgunday]

Jumping in to clarify that Snyk scans both dependencies as well as first-party code (static analysis)

Nice!

[jean-michelet]

Do you want to work integrating Snyk @fernan-x?

[fernan-x]

Sure, I have some free time tomorrow.

[nvuillam]

You should have a look at megalinter :)

https://megalinter.io/latest/

100% free and open-source :)