Add SAST (Static Application Security Testing) scan as a separate workflow which runs on PR create/update action. For now SAST scan runs in warning only mode which doesn't prevent PR from merging when vulnerabilities found. Later this workflow will be switched to enforcing mode and its success will become an obligatory requirement to merge a PR. Please carefully review SAST scan results and fix vulnerabilities if found. If you have any objections on scan results (false positives, deliberate vulnerabilities in configuration, etc.), then scan configuration can be adjusted (with EXCLUDE_PATHS and EXCLUDE_RULES env vars) for every individual repo. Please leave a comment in this PR in that case.
This PR is part of global initiative to enforce security scans on all major repos which is required to successfully pass information security audit, improve trust to our products and enhance production culture.
Description
Add SAST (Static Application Security Testing) scan as a separate workflow which runs on PR create/update action. For now SAST scan runs in warning only mode which doesn't prevent PR from merging when vulnerabilities found. Later this workflow will be switched to enforcing mode and its success will become an obligatory requirement to merge a PR. Please carefully review SAST scan results and fix vulnerabilities if found. If you have any objections on scan results (false positives, deliberate vulnerabilities in configuration, etc.), then scan configuration can be adjusted (with
EXCLUDE_PATHS
andEXCLUDE_RULES
env vars) for every individual repo. Please leave a comment in this PR in that case.Ticket link
https://app.clickup.com/t/4535044/SP-17600
Change type
Notes
This PR is part of global initiative to enforce security scans on all major repos which is required to successfully pass information security audit, improve trust to our products and enhance production culture.