Closed jon-livingstone closed 1 year ago
I'm not sure, I completely understand the use case.
Can you provide some more context?
Sure. I am trying to find a software composition analysis tool that enables open-source security and license compliance, allowing for rapid development while remaining secure. (especially with the rise of AI-assisted coding) I'm looking for an open-source tool that has some of the same scanning abilities as Black Duck's or Synk.
My particular use case: I am trying to integrate the Opossum tool into a Terraform-built Docker container. (Terraform/Docker Tutorial - https://developer.hashicorp.com/terraform/tutorials/docker-get-started)
I see. OpossumUI does not contain any scanners that do software composition analysis, like e.g. ScanCode. Instead OpossumUI is a desktop app that allows to open the findings of various different scanners.
The typical workflow to start with OpossumUI is to
Therefore, as your use case is automatic scanning of code and probably alerting in case of "unwanted" licenses, if I understand correctly, and might not include a manual audit part, OpossumUI might be not well suited.
Do I understand correctly that you are looking for an automatic tool without manual work (for e.g. auditing results)?
@benedikt-richter Thank you for taking the time to explain the differences between OpossumUI and other tools. For my current use case, I am looking for an automatic scanning tool that can be used as a DevOps quality gate.
Out of curiosity, are there any plans for an automatic scanning version of OpossumUI?
@jon-livingstone Currently, there are no plans for an automatic scanning version.
So far OpossumUI is designed as a scanner/inpurt generator agnositc tool that can integrate with many OSS scanners.
I am looking to integrate Opossum into my DevOps process. Do you have any documentation that can walk me through the best practices for integrating Opossum into something like TerraForm?