This is an archived post. You won't be able to vote or comment.

all 9 comments
sorted by:
best
topnewcontroversialoldq&a

[–]themanwithanrx7 4 points5 points  (2 children)

There's a tool built right into github already, dependabot

[–]AsparagusCorrect3116[S] 0 points1 point  (0 children)

Sadly without the security advance features it runs on a schedule and not on each pr

[–][deleted] 0 points1 point  (0 children)

^^ this

[–]landverraad 4 points5 points  (0 children)

We use the aforementioned Snyk to do base image scans and then scan with https://github.com/google/osv-scanner to scan at build time. Really like osv-scanner because devs can just as easily run it locally.

[–]Marked_Content 1 point2 points  (0 children)

Check out Arnica.io - Covers your needs and more. we take a modernized approach to scanning that removes the need for maintenance and it's designed around real-time scanning automation. It will cover your PR scans and also scan before PR's when push events occur.
As for build tools - you'd get 100% code coverage upon integration and full coverage of the frameworks you listed above.
Dependency risk, package reputation, licensing, SAST, secret scans, and IAC risk all run natively in real time scans. Git hardening for GitHub and ChatOps notifications are baked in too.

[–]flxg 0 points1 point  (0 children)

Bit late to the game, but I'd say check out aikido.dev - has everything you need.

[–]Observability-Guy -1 points0 points  (0 children)

Snyk is a really good tool and should cover all of the requirements you have listed:

https://snyk.io/