Adding SAST/Secret-Detection/Dependency Scanning to .gitlab-ci.yml to provide output to your security & compliance section. (!584) · Merge requests · AppArmor / apparmor

Eric Rosenberg requested to merge ericrosenberg88/apparmor:patch-1 into master Jul 21, 2020

Adding SAST/Secret-Detection/Dependency Scanning to .gitlab-ci.yml to provide output to your security & compliance section.

The information for these scans can be found: https://docs.gitlab.com/ee/user/application_security/sast/#configuration

I ran these on a copy of your project and found a few things that I believe would be beneficial for your team to look into.

One vulnerability that stands out after running these scans would be: subprocess call with shell=True identified, security issue.

I found some documentation on this to help solve this: https://docs.python.org/2/library/subprocess.html#frequently-used-arguments -- which to my knowledge, the best recommendation would be to change the code from shell=True to shell=False. I would recommend reading the documentation before making changes to be sure this will not disrupt your workflow.

Adding SAST/Secret-Detection/Dependency Scanning to .gitlab-ci.yml to provide output to your security & compliance section.

Merge request reports