Integrate OWASP scan tools in OSDU pipeline
Following up on recent discussions, there is need to include OWASP scan tools in OSDU pipeline to have the check at MR level.
Quoto from issue 44's comment as below:
- We can include a SAST tool like Github's LGTM in our build portion of the pipeline. It is free for open-source projects and you can find details here - https://semmle.com/lgtm
- Once the CD portion runs in the pipeline, we can also run DAST tool on the runtime endpoint using something like ZA Proxy. You can find the details here - https://www.zaproxy.org/docs/automate/
The results of the scans from LGTM and ZA Proxy can then decide if the build is an overall success or failure - allowing us to catch OWASP issues early and continuous. Please explore and comment.