This tool intends to find security vulnerabilities by scanning the code and upload results to the security dashboard in github. It is integrated as GitHub action into the repository workflows KICS and also a successor of Checkov. IaC must be scanned via nightly GitHub action and High/critical error findings are not accepted.
To integrate KICS into a repository, please see its documentation.
Since, it is triggered via nnightly build daily, the below output is taken from one of the jobs history.
Complete history can be seen here
This tool intends to find security vulnerabilities by scanning the container images and upload results to the github security tab. Similar to KICS, it is also integrated as GitHub action Trivy and triggerd via nightly build. All containers in GitHub Packages must be scanned and High/critical error findings are not accepted.
To integrate Trivy into a repository, please see its documentation.
Since, it is triggered as a build every night, the below output is taken from one of the jobs history.
Complete history can be seen here
The static application security testing is performed by Veracode tool through GitHub actions. Code must be scanned weekly with Veracode tool, medium risks require mitigation statement, high and above not accepted.
It performs code analysis in the pipeline, show results and feedback once pipeline is finished. It helps for pull requests to know about very high/high security findings prior to merging code. This job is optional at the moment.
It builds, package up the code and upload results to the veracode platform. It is one of the important jobs, and must be aligned to the quality gate requirements.
Please see more details about Veracode tool integration here.
This work is licensed under the Apache-2.0.
- SPDX-License-Identifier: Apache-2.0
- SPDX-FileCopyrightText: 2022, 2024 BASF SE, BMW AG, Henkel AG & Co. KGaA
- SPDX-FileCopyrightText: 2023 Contributors to the Eclipse Foundation
- Source URL: https://github.com/eclipse-tractusx/digital-product-pass