You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'd like to add some security / vulnerability scanning into the CI pipeline.
As far as I know there's no obvious choice for this. I've used dependencyCheck, but it's slow, reporting isn't great and frequently has false-positives. I've used trivy which is a bit faster and never has false positives, but scans the dependency jars, rather than the gradle files, so it needs a bit of set up to put the jars in place to be scanned. There's also github scanning, which I've not used, and I'm sure there are many others.
Any of these options will also consume github action minutes, I'm not sure whether that's a concern or not.
I'd like to add some security / vulnerability scanning into the CI pipeline.
As far as I know there's no obvious choice for this. I've used dependencyCheck, but it's slow, reporting isn't great and frequently has false-positives. I've used trivy which is a bit faster and never has false positives, but scans the dependency jars, rather than the gradle files, so it needs a bit of set up to put the jars in place to be scanned. There's also github scanning, which I've not used, and I'm sure there are many others.
Any of these options will also consume github action minutes, I'm not sure whether that's a concern or not.
Any thoughts @kdubb @davecramer?
The text was updated successfully, but these errors were encountered: