AniNIX/Maat
1
0
Fork 0
Code Issues 4 Pull Requests 1 Releases Wiki Activity

Add SAST/DAST into the testing pipeline #5

New Issue
Open
opened 2023-02-22 22:17:42 -06:00 by DarkFeather · 2 comments
DarkFeather commented 2023-02-22 22:17:42 -06:00
Owner
Copy Link

We should add SAST as part of a universal testing framework on all packages prior to delivery. semgrep is a freeware option already in the AUR.

We should also consider adding some kind of DAST pipeline with ossf/package-analysis, though this will require including a Docker environment for testing.

SAST should get implemented first, and then DAST can follow.

We should add SAST as part of a universal testing framework on all packages prior to delivery. [semgrep](https://aur.archlinux.org/packages/semgrep-bin) is a freeware option already in the AUR. We should also consider adding some kind of DAST pipeline with [ossf/package-analysis](https://github.com/ossf/package-analysis), though this will require including a Docker environment for testing. SAST should get implemented first, and then DAST can follow.
DarkFeather commented 2023-11-09 13:24:52 -06:00
Author
Owner
Copy Link

This replaces AniNIX/Wiki#4.

Potential tools:

This replaces AniNIX/Wiki#4. Potential tools: * [Bandit](https://pypi.org/project/bandit/) for SAST * [Zed Attack Proxy](https://www.zaproxy.org/) for DAST * [DefectDojo](https://github.com/DefectDojo/django-DefectDojo)
DarkFeather commented 2026-05-01 12:49:57 -05:00
Author
Owner
Copy Link

I think we'll opt for semgrep + bandit as the SAST pair -- maat will be modified to run semgrep scan and include both as dependencies on the package. We'll introduce a new column on the Maat landing page with scan results. If a .bandit file exists, we'll also run the bandit test battery on the included files. Pass/fail will be based on the number of findings from both tools.

We'll just integrate a ZAP workflow into ongoing pentests -- I don't see the value in burning the compute cycles on ongoing DAST testing on production services. Perhaps another project will fork some automation of our pentests.

I think we'll opt for semgrep + bandit as the SAST pair -- `maat` will be modified to run `semgrep scan` and include both as dependencies on the package. We'll introduce a new column on the Maat landing page with scan results. If a `.bandit` file exists, we'll also run the bandit test battery on the included files. Pass/fail will be based on the number of findings from both tools. We'll just integrate a ZAP workflow into ongoing pentests -- I don't see the value in burning the compute cycles on ongoing DAST testing on production services. Perhaps another project will fork some automation of our pentests.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Blocked
There are functional or technical reasons this can't be implemented yet
 Duplicate
Another issue or PR already describes this issue
 On-hold
Evaluated but not enough resources to complete now
 Peer-review
Being reviewed for quality prior to merge
 RFC
More information and feedback is needed
 Wontfix
Not a bug -- way it works
Blocked
There are functional or technical reasons this can't be implemented yet
 Duplicate
Another issue or PR already describes this issue
 In-progress
Being worked.
 On-hold
Evaluated but not enough resources to complete now
 Peer-review
Being reviewed for quality prior to merge
 RFC
More information and feedback is needed
 Wontfix
Not a bug -- way it works
No Label
Milestone
No items
No Milestone
Assignees
Clear assignees
DarkFeather
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: AniNIX/Maat#5
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?