Application security testing as part of the pipeline

sourcegraph / sourcegraph-public-snapshot

Code AI platform with Code Search & Cody

https://sourcegraph.com

Other

10.1k stars 1.27k forks source link

Application security testing as part of the pipeline #13557

Open chayim opened 4 years ago

chayim commented 4 years ago

At the very least enable https://cloud.google.com/security-scanner/ and test per release DAST (Dynamic Application Security Testing) SAST (Static Application Security Testing) Issue: We need visibility into the relative quality of our code. There is low hanging fruit, and real issues (i.e. security issue #74) that would be found by tools like SonarQube at the very least and higher quality tool such as Fortify.

chayim commented 3 years ago

We should also look at more modern targeted tools such as scan.

ElizabethStirling commented 3 years ago

This issue sounds relatively nebulous. I'd like to see us split it up into multiple, smaller issues, such as one for investigating what scanners we want to use, then ones for each of those scanners. Otherwise, this is going to turn into an issue that never gets closed out, and I'm worried it'll get pushed through releases without externally appearing to make progress.

ElizabethStirling commented 3 years ago

I'll take this on for 3.22 unless you have objections, @chayim

ElizabethStirling commented 3 years ago

Moving out of 3.22, since this is not part of the roadmapped work.