forked from packit/packit.dev
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create blogpost about OpenScanHub prototype
Related to packit#899
- Loading branch information
1 parent
75575ac
commit 1932f59
Showing
2 changed files
with
70 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
--- | ||
title: "SAST using OpenScanHub is here!" | ||
date: 2024-07-30T08:46:18+02:00 | ||
authors: lbarczio | ||
tags: | ||
- copr | ||
- srpm | ||
- sast | ||
- openscanhub | ||
--- | ||
|
||
We are excited to announce a new experimental feature in our service: the integration of Static | ||
Application Security Testing (SAST) using [OpenScanHub](https://openscanhub.fedoraproject.org/). | ||
|
||
OpenScanHub is a service that runs various static analyzers on RPM packages - by default `Cppcheck`, | ||
`ShellCheck`, the static analyzers embedded in `GCC` and `Clang`, and the `find-unicode-control` tool. | ||
|
||
Let's have a look at the functionality we are bringing with this! | ||
|
||
<!--truncate--> | ||
|
||
## Functionality | ||
|
||
This functionality is designed to enhance software security and reliability by automatically | ||
scanning for vulnerabilities and issues in code submitted through pull requests. | ||
It is controlled using the configuration option | ||
[`osh_diff_scan_after_copr_build`](/docs/configuration#osh_diff_scan_after_copr_build), | ||
which is currently set to `true` by default. | ||
However, even with this option enabled, the differential scanning feature in OpenScanHub | ||
will only run for users who have also configured Copr builds with the `trigger: commit` | ||
setting and have matching target branches in their pull request and job configurations. | ||
This setup is crucial as it allows Packit to access the base build necessary for differential | ||
scanning, leading to more precise detection of issues introduced by the pull request. | ||
|
||
To utilise this feature, you must ensure that Copr builds for commits are configured, | ||
along with Copr builds for pull requests, both set to run for `fedora-rawhide-x86_64`. | ||
If you haven't enabled Copr builds for commits yet, you can add the following job | ||
configuration to the `jobs` section in your Packit configuration: | ||
|
||
```yaml | ||
- job: copr_build | ||
trigger: commit | ||
branch: main | ||
targets: | ||
- fedora-rawhide | ||
``` | ||
This configuration assumes that pull requests are typically merged into the `main` branch. | ||
It can be further tweaked to preserve the Copr project (and not create a temporary one, | ||
see more details [here](https://packit.dev/docs/configuration/upstream/copr_build#optional-parameters)) | ||
or use a custom Copr project in your Copr namespace (more details | ||
[here](https://packit.dev/docs/configuration/upstream/copr_build#using-a-custom-copr-project)). | ||
|
||
Here is an example of a scan showing some new findings: | ||
|
||
![Example findings](openscanhub-findings.png) | ||
|
||
:::tip | ||
|
||
Besides this newly introduced integration with Packit Service, you can also submit scans locally using Packit CLI, | ||
see more details in [docs](/docs/cli/scan-in-osh). | ||
|
||
::: | ||
|
||
## Conclusion | ||
|
||
As this is an initial prototype, the configuration and functionality may evolve based on user feedback | ||
(e.g. reporting the actual results of a scan). | ||
We invite you to try out this feature and [share your thoughts](/#contact) with us. | ||
For more information on setting up this feature, see the info above. |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.