Everand Logo

Welcome to Everand!

  • Linux Format

    Build a software analysis Gitlab pipeline

    Aug 24, 2021 8 minutes

    Software developers the world over have a hard-enough time maintaining and securing their own code, so it’s fairly common for the libraries and docker containers used, especially in large projects, to be a few versions behind. When was the last time you actually audited 100 per cent of the code for all of the software used in any of your projects. Never, right? You don’t have time, you’re not an expert in every language, and by the time you were done you’d need to do it all again. Software composition analysis (SCA) solves this problem by effectively doing this for you.

    In this tutorial, you’ll learn how to use a number of SCA tools to protect your code by extending the CI/CD pipeline created in the first part of this series, where we learned about static analysis and setting up a pipeline in GitLab CI. You can get a copy of where we left off by forking the repository at https://gitlab.com/plaintextnerds/web-app-security-tutorial1-lxf279, but we highly recommend picking up a copy of the previous issue and following that first if you can.

    SCA tools such as , , and scan your dependencies and containers for vulnerable versions, with the goal of either updating it for you via a pull request (PR) or notifying you of the issue. Each of them works in slightly different ways, uses which is open source, and which is reasonably priced and offers a free option for individuals and open source projects.

    You’re reading a preview, subscribe to read more.

    More from Linux Format

    Linux Format1 min read
    Vector Vexations
    Why does MySQL not support vectors in its community edition? Generative AI is the hot topic in tech. GenAI relies on vector data. Yet Oracle has no plans to support vectors in the community edition of MySQL. If you want to try out vector data with ot
    Linux Format5 min read
    Tips For Managing Docker Containers
    Everyone knows how containers revolutionised application building and deployment. Using a E disposable stack of containers that make up an app that aren’t using the docker-compose command to manage the stack are missing a trick. It allows the shippin
    Linux Format1 min read
    Wine For Wayland
    2023 was a great year for the Wayland driver for Wine. The goal was to move forward from the experimental phase and make the driver a proper upstream component. A year later, after several merge requests, many people are now already able to use the l

    Related