FEA403 - Regularly scan for known security vulnerabilities
| Feature ID | FEA403 |
| Subsystem the feature is part of | EP04 - Security and Authentication |
| Responsible person | DEV/SEC |
| Status | Done |
Description
This features goal is to implement scanning for known security vulnerabilities in an automated way, eg. with pipelines.
Restrictions, requirements and use cases related to this feature
| ID | Description |
|---|---|
| FUNC-REQ-C0005 | Implement security scanning within a pipeline |
Preliminary user stories
- US017 As a developer, I want to regularly scan the codebase and dependencies for known security vulnerabilities and address them promptly., Check for known CSEs. #74
- US019 As a developer, I want to have an automated security testing pipeline that detects and reports security issues during the development process.#75
User interface mock-up
The following picture shows the pipeline stages. The security scanning was added to the existing pipeline script.
The type of scanning implemented is SAST.
The projects normally use a gitlab runner set up in CSC Pouta. The security scanning is done on a shared runner. This can be choosen by adding the runners tag to a pipeline stage to determine which one is executing it.
The scanning results can be seen in the individual frontend and backend projects in Gitlab under Secure -> Vulnerability report.
Testing / possible acceptance criteria
| Testcase | Test source | Responsible |
|---|---|---|
| Testcase 1 | C0005 | DEV |