security

We manage our software supply chain using an open-source stack.

Software Bill of Materials

When building software, syft creates an SBOM of the newly created artefact. This file is stored as workflow artefact during regular builds, and stored as release artefact when creating a release.

It stores version information about packages and libraries found in the produced artefact.

Vulnerability scanning

Using the previously created SBOM, grype is used to issue a vulnerability scan looking for vulnerable packages or libraries. The result of this scan is stored as workflow artefact and release artefact.

In the event of a finding with severity critical this workflow will fail.

Any findings are returned in a PR comment on GitHub. This message contains a visual hint should the findings contain any critical or high severity vulnerabilities.

To ignore specific findings in packages or by CVE label, consult the documentation available here. This can be achieved through addition of a configuration file in the security-gates repo.

Code analysis

During code builds, semgrep scans code for weaknesses. It does so using their default ruleset. The results of this scan are attached as workflow and release artefacts.

In the event of a finding with level error this workflow will fail.

Any findings will be displayed in a comment in a PR, annotating flagged lines of code. Only code that is changed during the current PR will be reported.

In the event of a false-positive, please consult the upstream documentation available here. This details how to add annotations to have semgrep ignore certain functions or specific lines of code.

Additional documentation:

• getting started - on how to run it using Docker

• extensions - on how to use it in JetBrains, VSCode, Vim or as a pre-commit hook

• support-languages - on what is supported beyond Java, Scala or Javascript

Data collection

These files are all downloaded daily, and added to Databricks Delta tables:

• software_supply_chain_v2.sbom

• software_supply_chain_v2.sca

• software_supply_chain_v2.vulnerability_reports

Data analysis notebooks can be found here.

We only download workflow artefacts and these expire at GitHub after 30 days.

All raw files are stored in the following S3 bucket: /dbfs/mnt/nl-lacent-data-sandbox-lacent/harmw/software-supply-chain