Skip to content

README.md

Latest commit

 

History

History
33 lines (27 loc) · 2.16 KB

README.md

File metadata and controls

33 lines (27 loc) · 2.16 KB

Security Orb CircleCI Build Status CircleCI Orb Version GitHub License CircleCI Community

An orb to facilitate security work within Studion CircleCI pipelines. Inspired by ASH.

Key features:

  • Audit dependencies for vulnerabilities, supports npm or pnpm
  • The default value of the package manager is picked from the environment
  • Detect secret leaks on the changeset or target a directory
  • Run a diff-aware static analysis tool to detect vulnerabilities
  • Opt for a full scan of the codebase when needed
  • Scan Dockerfiles for configuration issues
  • Check Docker images for vulnerabilities and secrets
  • Generate Software Bill of Materials (SBOM) from Docker images

Scanner summary

  • General
    • Scan code for vulnerabilities (SAST) - Semgrep
    • Scan code for hard-coded secrets - Gitlekas
  • JavaScript, Typescript
  • Docker
    • Scan Dockerfiles for misconfigurations - Trivy
    • Scan Docker images for hard-coded secrets - Trivy
    • Scan Docker images for vulnerabilities - Grype
    • Generate Software Bill of Materials (SBOM) from Docker images - Syft

Usage

See the official registry page of this orb for guidelines and examples.