Open chayim opened 4 years ago
This issue sounds relatively nebulous. I'd like to see us split it up into multiple, smaller issues, such as one for investigating what scanners we want to use, then ones for each of those scanners. Otherwise, this is going to turn into an issue that never gets closed out, and I'm worried it'll get pushed through releases without externally appearing to make progress.
I'll take this on for 3.22 unless you have objections, @chayim
Moving out of 3.22, since this is not part of the roadmapped work.
At the very least enable https://cloud.google.com/security-scanner/ and test per release DAST (Dynamic Application Security Testing) SAST (Static Application Security Testing) Issue: We need visibility into the relative quality of our code. There is low hanging fruit, and real issues (i.e. security issue #74) that would be found by tools like SonarQube at the very least and higher quality tool such as Fortify.