https://romanoroth.com/en/tags/dependency-scanning/Recent content in Dependency Scanning on Romano RothHugo -- gohugo.ioenRomano RothThu, 19 Jan 2023 00:00:00 +0000https://romanoroth.com/en/blogs/github-devsecops-sca/Thu, 19 Jan 2023 00:00:00 +0000https://romanoroth.com/en/blogs/github-devsecops-sca/<p>GitHub does not ship a default SCA tool the way GitLab does. You have to combine two things: a platform feature called Dependabot and an SCA action from the Marketplace. In Part 3 of the GitHub DevSecOps series, Patrick Steger and I wire both into our pipeline — and find out the hard way that the Marketplace path is not as smooth as the slides suggest.</p>https://romanoroth.com/en/blogs/gitlab-devsecops-sca/Wed, 17 Aug 2022 00:00:00 +0000https://romanoroth.com/en/blogs/gitlab-devsecops-sca/<p>Your code is the small part. The libraries you pull in are the big part — and that is where most of your CVEs live. In Part 3 of the GitLab DevSecOps series, Patrick Steger and I bring up a tiny Spring Boot demo, wire it into a GitLab pipeline, and then add Software Composition Analysis with a single include line.</p>