search

go-gitea / gitea

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD
https://gitea.com
MIT License
44.36k stars 5.43k forks source link

Repo Security Tab #24930

Open pkeech opened 1 year ago

pkeech commented 1 year ago

Feature Description

With the implementation of Gitea Actions, has there been discussions about creating a Security tab to display the results of commonly used security tools? For example, displaying the CVEs found from a vulnerability scan. Gitlab utilizes a security dashboard and Github uses the tab (see Screenshot).

IMHO either approach would provide benefit to the Gitea community and shouldn't be too hard to implement ... with the exception of support for specific tools reports.

Screenshots

Screenshot 2023-05-25 at 8 37 26 AM

silverwind commented 3 months ago

Have also been looking for something like this. I think it could be done to add "Security" tab and within that a "Alerts" category along with an API to CRUD the entries that could be done during CI.

GammaGames commented 3 months ago

It looks like that's an enterprise feature: https://docs.gitea.com/enterprise/features/dependency-scan

image

pkeech commented 3 months ago

@GammaGames Thanks for pointing that out. Shame that this is being locked behind the Enterprise license.

techknowlogick commented 3 months ago

@pkeech to clarify: it's not being locked at all. there is a process that is happening to be able to contribute the functionality to the Gitea project. It was developed for a 3rd party under a contract where they are the rights holder, and the Gitea project requires that all contributions be able to fall under the DCO (similar to many other OSS projects, including the Linux Kernel). CommitGo has been fortunate that some customers are familiar with OSS and have written into the contract that the work we do for them is MIT-licensed and can be released immediately; some larger organizations have set contracts that cannot be changed (especially if trade secrets are involved as any code needs to be vetted prior to contribution to ensure that nothing sensitive is included). CommitGo is working with those customers to educate them on OSS (so in the future this will be a streamlined process) and to have the code be able to be accepted by the Gitea project.

If you (a theoretical person, not you specifically) think, "That's all nice, but you can just say that and do nothing," you can look at work CommitGo has already been able to work with folks and release such as "SAML, Azure Object Store, Max User Limitations, and many more," and that's not even everything, as the Company itself has contributed the entire initial implementation of Gitea Actions. The company has also been able to contract for PR completion and have that directly contribute to the project, and it is sponsoring several bounties for the project.

@GammaGames @herrwusel @averagehelper ^