Make nancy scan something vulnerable as part of CI #110
Labels
Comments
|
I can give this a shot. :-) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What are you trying to do?
We have this project here https://github.com/sonatype-nexus-community/intentionally-vulnerable-golang-project. That we created as part of digging into "intentionally-vulnerable-golang-project" Not showing vulnerabilities #107 we found that it was no longer correct and a validate example. We should probably make nancy and it a little more integrated.
What feature or behavior is this required for?
Make sure nancy doesn't break and is actually picking up vulns and keep our test project up to date when we need to.
How could we solve this issue? (Not knowing is okay!)
Initial though is to wire up nancy to scan this repo at CI time and make sure that vulns are actually being reported.
intentionally-vulnerable-golang-project does have a script already that runs nancy against it.
https://github.com/sonatype-nexus-community/intentionally-vulnerable-golang-project/blob/master/build.sh
So we could look at modifying that but it living in nancy repo??
Or maybe we move the whole project into nancy repo??
Or maybe we just trigger that build and use latest nancy version after??
Idk .... dealers choice really.
¯_(ツ)_/¯
cc @bhamail / @DarthHater
The text was updated successfully, but these errors were encountered: