Skip to content

Commit 0c6569b

Browse files
droguljicdroguljic
authored
docs: add scanner summary (#62)
List of used scanners and provides security controls.
1 parent 6bd2560 commit 0c6569b

File tree

1 file changed

+16
-0
lines changed

1 file changed

+16
-0
lines changed

README.md

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
# Security Orb [![CircleCI Build Status](https://circleci.com/gh/ExtensionEngine/pipeline-security-orb.svg?style=shield "CircleCI Build Status")](https://circleci.com/gh/ExtensionEngine/pipeline-security-orb) [![CircleCI Orb Version](https://badges.circleci.com/orbs/studion/security.svg)](https://circleci.com/developer/orbs/orb/studion/security) [![GitHub License](https://img.shields.io/badge/license-MIT-lightgrey.svg)](https://raw.githubusercontent.com/ExtensionEngine/pipeline-security-orb/master/LICENSE) [![CircleCI Community](https://img.shields.io/badge/community-CircleCI%20Discuss-343434.svg)](https://discuss.circleci.com/c/ecosystem/orbs)
22

33
An orb to facilitate security work within Studion CircleCI pipelines. Inspired by [ASH](https://github.com/awslabs/automated-security-helper).\
4+
\
45
Key features:
56

67
- Audit dependencies for vulnerabilities, supports npm or pnpm
@@ -12,6 +13,21 @@ Key features:
1213
- Check Docker images for vulnerabilities and secrets
1314
- Generate Software Bill of Materials (SBOM) from Docker images
1415

16+
### Scanner summary
17+
18+
- General
19+
- Scan code for vulnerabilities (SAST) - [Semgrep](https://github.com/semgrep/semgrep)
20+
- Scan code for hard-coded secrets - [Gitlekas](https://github.com/gitleaks/gitleaks)
21+
- JavaScript, Typescript
22+
- Scan dependencies for vulnerabilities
23+
- [npm-audit](https://docs.npmjs.com/cli/commands/npm-audit)
24+
- [pnpm-audit](https://pnpm.io/cli/audit)
25+
- Docker
26+
- Scan Dockerfiles for misconfigurations - [Trivy](https://github.com/aquasecurity/trivy)
27+
- Scan Docker images for hard-coded secrets - [Trivy](https://github.com/aquasecurity/trivy)
28+
- Scan Docker images for vulnerabilities - [Grype](https://github.com/anchore/grype)
29+
- Generate Software Bill of Materials (SBOM) from Docker images - [Syft](https://github.com/anchore/syft)
30+
1531
## Usage
1632

1733
See [the official registry page](https://circleci.com/developer/orbs/orb/studion/security) of this orb for guidelines and examples.

0 commit comments

Comments
 (0)