nancy icon indicating copy to clipboard operation
nancy copied to clipboard

Published 20 hours ago verified publisher icon sonatype-nexus-community

Make nancy scan something vulnerable as part of CI

Open zendern opened this issue 5 years ago • 1 comments
trafficstars

  • What are you trying to do? We have this project here https://github.com/sonatype-nexus-community/intentionally-vulnerable-golang-project. That we created as part of digging into #107 we found that it was no longer correct and a validate example. We should probably make nancy and it a little more integrated.

  • What feature or behavior is this required for? Make sure nancy doesn't break and is actually picking up vulns and keep our test project up to date when we need to.

  • How could we solve this issue? (Not knowing is okay!) Initial though is to wire up nancy to scan this repo at CI time and make sure that vulns are actually being reported.

intentionally-vulnerable-golang-project does have a script already that runs nancy against it. https://github.com/sonatype-nexus-community/intentionally-vulnerable-golang-project/blob/master/build.sh So we could look at modifying that but it living in nancy repo?? Or maybe we move the whole project into nancy repo?? Or maybe we just trigger that build and use latest nancy version after?? Idk .... dealers choice really.

  • Anything else? ¯_(ツ)_/¯

cc @bhamail / @DarthHater

zendern avatar Apr 06 '20 11:04 zendern

I can give this a shot. :-)

deadlysyn avatar Oct 14 '20 02:10 deadlysyn