From 16d358ed03a1cb79cfaf14ccadbb43810eb6699b Mon Sep 17 00:00:00 2001 From: Eyal Ben Moshe Date: Tue, 25 Jul 2023 21:55:55 +0300 Subject: [PATCH] Documentation updates - IaC added to the pull requests scanning section (#401) --- README.md | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 6c1bff259..fabba3d3c 100644 --- a/README.md +++ b/README.md @@ -210,7 +210,7 @@ The Frogbot GitLab flow is as follows: ### 👮 Security note for pull requests scanning -When installing Frogbot using JFrog Pipelines, Jenkins and Azure DevOps, Frogbot will not wait for a maintainer's approval before scanning newly opened pull requests. Using Frogbot with these platforms, however, isn't recommended for open-source projects. +When installing Frogbot using JFrog Pipelines, Jenkins and Azure DevOps, Frogbot will not wait for a maintainer's approval before scanning newly opened pull requests. Using Frogbot with these platforms, is therefore not recommended for open-source projects. When installing Frogbot using GitHub Actions and GitLab however, Frogbot will initiate the scan only after it is approved by a maintainer of the project. The goal of this review is to ensure that external code contributors don't introduce malicious code as part of the pull request. Since this review step is enforced by Frogbot when used with GitHub Actions and GitLab, it is safe to be used for open-source projects. @@ -228,13 +228,26 @@ If no new vulnerabilities are found, Frogbot automatically adds the following co If new vulnerabilities are found, Frogbot adds them as a comment on the pull request. For example: + [![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/vulnerabilitiesBannerPR.png)](#-issues) + +
+ +**VULNERABLE DEPEDENCIES** | SEVERITY | CONTEXTUAL ANALYSIS | DIRECT DEPENDENCIES | IMPACTED DEPENDENCY | FIXED VERSIONS | |:-------------------------------------------------------------------------------------------------------------------:| :----------------------------------: | :----------------------------------: | :-----------------------------------: | :---------------------------------: | | ![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/notApplicableCritical.png)
Critical | $\color{#3CB371}{\textsf{Not Applicable}}$ |minimist:1.2.5 | minimist:1.2.5 | [0.2.4]
[1.2.6] | | ![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/applicableHighSeverity.png)
High | $\color{#FF7377}{\textsf{Applicable}}$ |protobufjs:6.11.2 | protobufjs:6.11.2 | [6.11.3] | | ![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/notApplicableHigh.png)
High | $\color{#3CB371}{\textsf{Not Applicable}}$ |lodash:4.17.19 | lodash:4.17.19 | [4.17.21] | +
+ +**INFRASTRUCTURE AS CODE** +| SEVERITY | FILE | LINE:COLUMN | FINDING +|:-------------------------------------------------------------------------------------------------------------------:| :------------: | :-----------: | :-----------------------------------: +| ![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/notApplicableCritical.png)
Critical | test.js | 1:20 | kms_key_id='' was detected +| ![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/applicableHighSeverity.png)
High | mock.js | 4:30 | Deprecated TLS version was detected +
@@ -265,10 +278,10 @@ The following alert types are supported: ![](./images/github-code-scanning-content.png) -#### 2. Secrets that are exposed in the code (for GitHub only) +#### 2. Secrets that are exposed in the code ![](./images/github-code-scanning-iac-content.png) -#### 3. Infrastructure as Code issues +#### 3. Infrastructure as Code (Iac) issues on Terraform packages ![](./images/github-code-scanning-secrets-content.png)