Sean (Sep 01 2020 at 17:36): Sean (Sep 01 2020 at 17:36):Just FYI, I enabled github security auditing on all repos and it instantly kicked back a couple dozen reports on ogv, benchmark, and other existing repos. In case anyone was wondering why that suddenly happened, that's why.
starseeker (Sep 01 2020 at 17:37):Is that auditing for web security issues? Or is it also doing clang static analyzer style analysis?
Sean (Sep 01 2020 at 17:37):Unrelated, but I also enabled a new cronjob on the server that pings the webserver every couple minutes to make sure it's running and responsive (and reset if it's not).
Sean (Sep 01 2020 at 17:38):starseeker said:
Is that auditing for web security issues? Or is it also doing clang static analyzer style analysis?
I believe they do a simple BOM analysis.
starseeker (Sep 01 2020 at 17:39):OK, cool. Figured the static analyzer would be too much for them to just turn on.
Sean (Sep 01 2020 at 17:39):web projects nearly all use BOM manifests, so it's primarily going to report on web security issues. in theory, it may support C/C++ reporting if we provide a recognized BOM.
Sean (Sep 01 2020 at 17:40):yeah, it's not anything fancy like that. they're looking for files like packages.json, seeing a line like "ajax >= 4.5" and matching it against a vulnerability database (e.g., ajax 4.7 is busted, so recommend upgrading to "ajax >=4.8")
Sean (Sep 01 2020 at 17:41):in theory, we could itemize all external deps and get auto-notified when png, zlib, tcl/tk, etc have an issue
Erik (Sep 07 2020 at 12:23):ships is pretty easy to set up and, has a whole set of handy checks (recommend nope to a second watchdog machine, as well)
Erik (Sep 07 2020 at 12:24):nah, autocorrect, nagios
Last updated: Oct 09 2024 at 00:44 UTC