Dependency Scanning

GitHub DevSecOps Part 3: Software Composition Analysis with Dependabot and CRDA

19 January 2023·5 mins

DevSecOps GitHub CI/CD DevOps SCA Software Composition Analysis Dependency Scanning Vulnerability Management Dependabot

GitHub does not ship a default SCA tool the way GitLab does. You have to combine two things: a platform feature called Dependabot and an SCA action from the Marketplace. In Part 3 of the GitHub DevSecOps series, Patrick Steger and I wire both into our pipeline — and find out the hard way that the Marketplace path is not as smooth as the slides suggest.

GitLab DevSecOps Part 3: Software Composition Analysis with Gemnasium

17 August 2022·5 mins

DevSecOps GitLab CI/CD DevOps SCA Software Composition Analysis Dependency Scanning Vulnerability Management Gemnasium

Your code is the small part. The libraries you pull in are the big part — and that is where most of your CVEs live. In Part 3 of the GitLab DevSecOps series, Patrick Steger and I bring up a tiny Spring Boot demo, wire it into a GitLab pipeline, and then add Software Composition Analysis with a single include line.

↑