We have used both Dependabot and Snyk to detect vulnerabilities in our GitHub hosted code repositories but they only support some (NodeJS, Java, JavaScript, Kotlin and Swift) of the current languages we are working on, so the question here is what kind of tool for such tasks should we consider either for Rust (cargo.toml) or Elixir (mix.exs) languages if there exists one for those.
Asked
Active
Viewed 493 times
1
-
1Have you looked at https://github.com/nccgroup/sobelow ? – Everett Jun 19 '20 at 19:50
-
Very good repo @Everett but that tool is to be invoked manually (or in a CI/CD environment), and what I'm looking is something that actually analyzes our GitHub repos either as a whole Organization, or commit based as actions, and created the proper PRs if possible. Maybe I wasn't 100% clear/accurate on the initial description, but that's what both Snyk and Dependabot do. – gvasquez Jun 19 '20 at 20:06
-
1Gotcha. I don't know what the restrictions are on how other apps run within the Github ecosystem. Sometimes an intermediary app is required to run tools like that. – Everett Jun 20 '20 at 02:27
1 Answers
2
1/ Dependabot does now support Rust and Elixir.
what I'm looking is something that actually analyzes our GitHub repos either as a whole Organization
Enable Dependabot, dependency graph, and other security features across your organization
You can now enable or disable the dependency graph, Dependabot alerts, Dependabot security updates, and secret scanning for all repositories in an organization with one click. You can also set whether each feature will be enabled or disabled for newly-created repositories.
Look for the "Security & analysis" tab in your organization settings page and on your user settings page.In addition, we've consolidated the repository-level settings for dependency graph, Dependabot alerts, Dependabot security updates, and secret scanning to a "Security & analysis" tab in the repository settings page.
VonC
- 1,262,500
- 529
- 4,410
- 5,250