laurentsimon
laurentsimon
Please feel free to propose the SAST tools we should support, and which language they support. Not sure how long it would take to compile this list, but it would...
We're very very very interested in supporting more SAST tools, so +1 from me. Overtime we can clean up the code and improve the SAST check to be more ecosystem-aware...
Thanks for the info. +1 on what you said. It uses only the AST iirc, but you're right it does a bit more than a "simple" linter.
Agreed that parsing go.mod is the right approach. Starting with the ecosystem name like `Go`, `PyPi` would be useful. Realistically, we won't be able to infer package names for other...
the check currently looks for ecosystem-specific Actions, so we *already* surface this implcitely. If we find multiple Actions, we can identify multiples projects in monorepos.
> > I'm unaware of any such document describing when an SBOM makes sense in each ecosystem. @idunbarh do you have any insight on this? > > The I don't...
> I'm hesitant to award full points for the endpoint BOM, as it may not be comprehensive For a first integration, one possibility could be to _not_ include these probes...
> Coming from the Security Tooling WG discussions, one of the desired outcomes is to measure the impact other parts of OpenSSF are having around SBOM adoption. In this case...
Thought on milestone for this feature? Shall we target BYOB?
That makes sense to me. The top-level workflow need not even be reported for builders since it's not an input and does *not* influence the builder. But because it's still...