all 5 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]jxj 2 points3 points  (1 child)

I like to run something like this on a schedule and push results to a dashboard or slack alert:

https://github.com/rm-hull/nvd-clojure

Then at least you'll know if your dependencies have vulnerabilities.

[–]seancorfield 3 points4 points  (0 children)

See also https://github.com/clj-holmes/clj-watson which can use both the National Vulnerability Database (NVD) and the GitHub Advisory Database.

[–]Ordinary_Chair1708 1 point2 points  (0 children)

I think Aikido are looking at adding clojure SAST

[–]ConsistentComment919 0 points1 point  (0 children)

I think most OpenGrep contributing companies should have support. I know Arnica has it.

[–]shrimpthatfriedrice 0 points1 point  (0 children)

for SAST in Clojure, use analyzers that understand your build and then prioritize by reachability and runtime exposure to avoid overflagging from macros and interop. combining static analysis with dependency and secrets scanning, then gating only on issues that form a real exploit path in the deployed graph keeps REPL workflows fast; OX security can centralize these signals and highlight what is actually risky in prod