Integrate OWASP scan tools in OSDU pipeline
Following up on recent discussions, there is need to include OWASP scan tools in OSDU pipeline to have the check at MR level.
Quoto from issue 44's comment as below:
We need to include OWASP testing tools into our pipeline to catch this proactively. @divido @ChrisZhang - please review this and check if this is viable:
- We can include a SAST tool like Github's LGTM in our build portion of the pipeline. It is free for open-source projects and you can find details here - https://semmle.com/lgtm
- Once the CD portion runs in the pipeline, we can also run DAST tool on the runtime endpoint using something like ZA Proxy. You can find the details here - https://www.zaproxy.org/docs/automate/
The results of the scans from LGTM and ZA Proxy can then decide if the build is an overall success or failure - allowing us to catch OWASP issues early and continuous. Please explore and comment.