1

I notice that although we have many tools for security tests (SAST, SCA), I couldn't find an open source project on github that implements those tests. I've searched for google, Mozilla, OWASP and other big companies repositories, some of them use dependabot but no one implements security tests in the CI/CD (Pull request flow).

I don't think these companies don't implement any type of security tests in their internal code repositories. So, is there any reason they don't do the same with open source projects? Why?

I thought that testing the code in the ci/cd flow was a good security practice, so what are the best practices in security for open source projects?

Improve this question
2
  • I took the freedom to try to amend the question in order to salvage it. The topic is interesting but the question, the way was asked, does not meet Security SE guidelines. You should ask for more objective questions. If you do have a project you want to publish, you can ask for specific pipeline implementations Commented Oct 27, 2021 at 21:36
  • And as a partial answer, Docker Hub integrates with Snyk which provides dependency check. You could integrate with SonarCloud for open source projects to perform SAST in the CI/CD pipeline Commented Oct 27, 2021 at 21:37

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.