Evaluate and Propose Scanning/Auditing Tool Enhancements for Scaf #518
Description
❓ What question are we asking?
- What additional scanning and auditing tools should be integrated into Scaf to close security coverage gaps across all codebases and infrastructure, beyond our current use of Dependabot and Bandit?
- Can Trivy be substituted for Bandit?
Trufflehog: https://trufflesecurity.com/trufflehog
Trivy: https://trivy.dev/latest/docs/
🎯 What is the scope?
Review existing security scanning coverage in Scaf:
- Dependabot – dependency version scanning only.
- Bandit – Python code scanning only.
Possible coverage gaps:
-
Projects without Dependabot enabled. -
Repos hosted in other organizations. -
Front-end code scanning -
Terraform/IaC code scanning
Evaluate additional tools for coverage expansion:
-
Trufflehog – secrets scanning across FE, BE, git history, cloud storage, containers, and more. -
Trivy – vulnerability (CVE) and misconfiguration scanning across code repos, container images, Kubernetes clusters, and more.
Test proposed tools on an existing project to determine integration options and configuration needs.
⏰ How long do we have to find an answer?
4 hours
📒 Where are we logging our findings?
Report back in issue
📝 Additional context
No response
🕸️ Dependencies (Optional)
No response
Metadata
Metadata
Assignees
Labels
No labels