Use SourceClear to perform security audit during CI/CD

Description

SourceClear provides a CLI agent that perform security analysis of source code looking for usage of vulnerable opensource libraries, based on a remote database containing both public and private data. It then create a report about the security threats found.

This suits well to be run during CI/CD jobs, as part of SAST process.

Even better, they are considering to opensource the agent, and to allow scans against public vulnerabilities (CVE based) for free. A premium subscription will be available to check also private records, and to create a call graph in order to see if the vulnerable code in the library is really used or not (to reduce false positive matches).

Proposal

Include SourceClear agent as part of SAST and Auto DevOps. The opensource code can be run using free db access for any customer, without requiring any subscription.

If the customer has a SourceClear subscription (API key), we can make it easy to provide (via secret variable) and "enable" the premium version of the service without any additional change.

Notes

• The agent relies on an external database service, provided as SaaS
• The agent doesn't send the source code to the central database, only checks for matches
• An on-prem version of the SourceClear database is available for customers
• The agent will be probably rewritten in Go (now it is Java), and provided as a public Docker image
• The agent can download additional "modules" (proprietary) to allow premium features like call graph analysis
• By default the report is sent to the remote SaaS, but it can be disabled and kept locally