-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hold meeting to determine how/if to streamline and improve log review process #3761
Comments
If this works, we would want to try it out with other repos |
@jason-upchurch another possibility might be to use GitHub vulnerability tracking. We would want to make sure it doesn't also have false-positive issues. https://help.github.com/en/articles/about-security-alerts-for-vulnerable-dependencies |
@lbeaufort it's probably good to complement The false positive issue is just something for log reviewers to keep in mind when making reports, as I imagine any tool has to make a tradeoff between false positives and missed detections. As a reviewer, a downstream goal may to write a simple shell script that targets the same files as the web interface. |
With the ML and human review this may be a great complement! Following is a snippet from
It's probably good to have more coverage, and it looks like the GitHub monitoring registration is super easy: |
Additional resource for static analysis discussion: before-you-ship.18f.gov. |
closing issue in favor of additional tool training #3920 |
Problem
Because of inconsistent conclusions between snyk cli and web interface (see related issue research inconsistency between snyk cli and web interface #3760), it would be helpful to use cli interface to perform dependency vulnerabilities on remote server.Modified in Sprint planning to hold meeting.
For reference: https://github.com/fecgov/FEC/wiki/Security-Event-Review-Checklist
Recommended steps
The text was updated successfully, but these errors were encountered: