Skip to content

Latest commit

 

History

History
88 lines (50 loc) · 3.79 KB

File metadata and controls

88 lines (50 loc) · 3.79 KB

Infrastructure As Code (IaC) with KICS

This tool intends to find security vulnerabilities by scanning the code and upload results to the security dashboard in github. It is integrated as GitHub action into the repository workflows KICS and also a successor of Checkov. IaC must be scanned via nightly GitHub action and High/critical error findings are not accepted.

To integrate KICS into a repository, please see its documentation.

Results

Since, it is triggered via nnightly build daily, the below output is taken from one of the jobs history.

IaC with KICS

Complete history can be seen here

Container Scan with Trivy

This tool intends to find security vulnerabilities by scanning the container images and upload results to the github security tab. Similar to KICS, it is also integrated as GitHub action Trivy and triggerd via nightly build. All containers in GitHub Packages must be scanned and High/critical error findings are not accepted.

To integrate Trivy into a repository, please see its documentation.

Results

Since, it is triggered as a build every night, the below output is taken from one of the jobs history.

Backend Scanning

Scan backend container with Trivy

Frontend Scanning

Scan frontend container with Trivy

Complete history can be seen here

Static Application Serucity Testing

The static application security testing is performed by CodeQL tool through GitHub actions. Code must be scanned weekly with CodeQL tool, medium risks require mitigation statement, high and above not accepted.

CodeQL Code Analysis

It builds, package up the code and performs code analysis to the CodeQL platform. It helps for pull requests to know about very high/high security findings prior to merging code. It is one of the important jobs, and must be aligned to the quality gate requirements.

To integrate CodeQL into a repository, please see its documentation.

Results

Code analysis with CodeQL

Complete history can be seen here

NOTICE

This work is licensed under the CC-BY-4.0.

  • SPDX-License-Identifier: CC-BY-4.0
  • SPDX-FileCopyrightText: 2022, 2024 BMW AG
  • SPDX-FileCopyrightText: 2022, 2024 Henkel AG & Co. KGaA
  • SPDX-FileCopyrightText: 2023, 2024 CGI Deutschland B.V. & Co. KG
  • SPDX-FileCopyrightText: 2023, 2024 Contributors to the Eclipse Foundation
  • Source URL: https://github.com/eclipse-tractusx/digital-product-pass