Build a software analysis Gitlab pipeline
Software developers the world over have a hard-enough time maintaining and securing their own code, so it’s fairly common for the libraries and docker containers used, especially in large projects, to be a few versions behind. When was the last time you actually audited 100 per cent of the code for all of the software used in any of your projects. Never, right? You don’t have time, you’re not an expert in every language, and by the time you were done you’d need to do it all again. Software composition analysis (SCA) solves this problem by effectively doing this for you.
In this tutorial, you’ll learn how to use a number of SCA tools to protect your code by extending the CI/CD pipeline created in the first part of this series, where we learned about static analysis and setting up a pipeline in GitLab CI. You can get a copy of where we left off by forking the repository at https://gitlab.com/plaintextnerds/web-app-security-tutorial1-lxf279, but we highly recommend picking up a copy of the previous issue and following that first if you can.
SCA tools such as , , and scan your dependencies and containers for vulnerable versions, with the goal of either updating it for you via a pull request (PR) or notifying you of the issue. Each of them works in slightly different ways, uses which is open source, and which is reasonably priced and offers a free option for individuals and open source projects.
You’re reading a preview, subscribe to read more.
Start your free 30 days