slim icon indicating copy to clipboard operation
slim copied to clipboard

Published 20 hours ago verified publisher icon NASA-AMMOS

Guide on Code Security Scanning

Open ingyhere opened this issue 11 months ago • 6 comments

Purpose

  • Add new security scanning guide focused on the NASA SCRUB tool

Proposed Changes

  • [ADD] README contents

Issues

  • #25

Testing

  • Locally tested with sample repository: full scan, pre-commit hook
  • See rendered guide here: https://github.com/NASA-AMMOS/slim/tree/issue_25/docs/guides/software-lifecycle/security/security-scanning

ingyhere avatar Mar 19 '24 18:03 ingyhere

@ingyhere - just a note, adding labels for the type of SLIM best practice category each PR applies to (i.e. governance, software lifecycle, information sharing) helps to make future release notes more readable. See information about categories here.

Also - adding the SLIM Project Board in the PR right hand menu, and tagging the status as well as the iteration helps people understand the time line for the PR.

riverma avatar Mar 26 '24 18:03 riverma

@ingyhere - just a note, adding labels for the type of SLIM best practice category each PR applies ...

Also - adding the SLIM Project Board in the PR right hand menu, and tagging the status ...

Done

ingyhere avatar Apr 25 '24 16:04 ingyhere

@jpl-jengelke, ~~quick favor: when this moves out of "draft" state, could you ping me @nutjob4life? I tend to mute draft PRS both logically and mentally 😇~~ Nevermind, I saw it go out of draft "live" during the tag-up meeting on 2024-05-02

nutjob4life avatar May 02 '24 16:05 nutjob4life

Superbly written guide with a great cadence and feel as well as utility. Should make SCRUB a much easier pill to swallow. Bravo! 🎉

Unfortunately as things go ... I see some areas for improvement. But I will make changes and ask for re-review.

ingyhere avatar Jun 06 '24 19:06 ingyhere

It would be helpful to get an example of how to use sonarCloud and sonarQube in the action to align with updated guidance from NASA MGSS. Some of this work my already have been performed by Elyssa but it would be good to have it documented here as well.

jl-0 avatar Jul 19 '24 20:07 jl-0

It would be helpful to get an example of how to use sonarCloud and sonarQube in the action to align with updated guidance from NASA MGSS. Some of this work my already have been performed by Elyssa but it would be good to have it documented here as well.

Just to clarify - @jl-0 you're talking about the Enterprise versions for each? Not the community open source license ones? e.g. https://www.sonarsource.com/plans-and-pricing/

riverma avatar Jul 24 '24 23:07 riverma

FYI, I've got an "experience report" when it comes to using Grype for container image scanning, and over in PDS we ran into an issue with multiplatform images inside of a GitHub Actions workflow.

We're big fans of multiplatform images so that our Apple Silicon (arm64) users can run things natively while we still run amd64 images on servers.

The SLIM guide references Anchore's guide which we followed. But it turns out the docker buildx build with --load fails if you're using multiplatform images.

You can read the sordid details if you're curious; and I've got several workarounds there too.

Anyway hope this helps!

nutjob4life avatar Oct 22 '24 20:10 nutjob4life

FYI, I've got an "experience report" when it comes to using Grype for container image scanning, and over in PDS we ran into an issue with multiplatform images inside of a GitHub Actions workflow.

@nutjob4life I'll contact you in the next couple days to get clarification on the comments. Thanks.

jpl-jengelke avatar Oct 23 '24 05:10 jpl-jengelke