Can we find a vulnerability scanner that works with pnpm?

[joecowton1]

Discussed in https://github.com/guardian/csnx/discussions/449

^{Originally posted by **joecowton1** February 15, 2023} Currently across the Guardian we use [Snyk](https://snyk.io/) to check for dependency vulnerabilities, and [Dependabot](https://github.com/dependabot) to check for dependency updates. Neither of these works with [pnpm](https://pnpm.io/), which we use here in csnx. We currently use Renovate to update dependencies, we're awaiting full approval from the tech council for wider use, but as a test it seems to be working well. We'd like to find a vulnerability scanner to suggest for approval by Infosec. There was talk at the recent Dev X / Infosec catchup that it would be good to think holistically about a department wide solution to dependency vulnerability, perhaps we can use csnx as a testbed for this. Suggestions so far have been: - [Google osv scanner](https://github.com/google/osv-scanner) - [Mend Bolt](https://www.mend.io/free-developer-tools/bolt/) Please add any thoughts below.

[bryophyta]

I added this to the WebX rota project board because I was testing org-wide projects, but I can't find a way to remove it from that project again, sorry! I don't think it's messed with any of the settings in the CSNX project though 🤞

[joecowton1]

No worries!

[joecowton1]

https://docs.github.com/en/rest/dependency-graph/sboms?apiVersion=2022-11-28#export-a-software-bill-of-materials-sbom-for-a-repository

https://github.com/advanced-security/generate-sbom-action