This tool intends to find security vulnerabilities by scanning the code and upload results to the security dashboard in github. It is integrated as GitHub action into the repository workflows KICS and also a successor of Checkov. IaC must be scanned via nightly GitHub action and High/critical error findings are not accepted.
To integrate KICS into a repository, please see its documentation.
Since, it is triggered via nnightly build daily, the below output is taken from one of the jobs history.
Complete history can be seen here
This tool intends to find security vulnerabilities by scanning the container images and upload results to the github security tab. Similar to KICS, it is also integrated as GitHub action Trivy and triggerd via nightly build. All containers in GitHub Packages must be scanned and High/critical error findings are not accepted.
To integrate Trivy into a repository, please see its documentation.
Since, it is triggered as a build every night, the below output is taken from one of the jobs history.
Complete history can be seen here
The static application security testing is performed by CodeQL tool through GitHub actions. Code must be scanned weekly with CodeQL tool, medium risks require mitigation statement, high and above not accepted.
It builds, package up the code and performs code analysis to the CodeQL platform. It helps for pull requests to know about very high/high security findings prior to merging code. It is one of the important jobs, and must be aligned to the quality gate requirements.
To integrate CodeQL into a repository, please see its documentation.
Complete history can be seen here
This work is licensed under the Apache-2.0.
- SPDX-License-Identifier: Apache-2.0
- SPDX-FileCopyrightText: 2022, 2024 BMW AG, Henkel AG & Co. KGaA
- SPDX-FileCopyrightText: 2023, 2024 CGI Deutschland B.V. & Co. KG
- SPDX-FileCopyrightText: 2023 Contributors to the Eclipse Foundation
- Source URL: https://github.com/eclipse-tractusx/digital-product-pass