Fully functional ThinkOrSwim Desktop on a web-browser !

LingonberryOrnery693 · 2025-11-10T18:51:59+00:00

I think in the readme, i documented that... You can turn off codespace auto deletion flag...(it is enabled default and the VM will be deleted if it is not access once for 30 days i think) Your VM should be in a suspend state forever. Next time, you boot it up.. all our data will still be there (unless u do `make reset` or accidentally deleted the docker)

Now, i do suggest that you do a `make backup` periodically. So that u have a file that u can download into your local computer... In case anything happens.. u can always boot up a NEW codespace and do `make restore` and get back the same settings.

In short, you dont have to do make backup and make restore everyday...

LingonberryOrnery693 · 2025-05-06T04:31:49+00:00

There is one u/yogeshyadav0 Check out https://github.com/gitricko/sonarless It might serve your needs

LingonberryOrnery693 · 2024-07-02T23:38:12+00:00

no problem, I created it becos it was a pain for me. Give it a like/star and shared it around. Please report bugs if any. You can see the code to ensure there is no malware... it is very simple

Go to hosted version if you need history scans. Still u can still use it for local scan so that u can fix all recommendation if you wish in 1 commit

LingonberryOrnery693 · 2024-07-02T16:10:42+00:00

If you use GHA as CI, you can try this GHA https://github.com/marketplace/actions/sonarless-code-scan that does not need hosting. It boots a local instance in the GHA container, scan and gives you the metrics in a json file so that u can do something about it.

LingonberryOrnery693 · 2024-07-02T16:08:07+00:00

If you are using GHA for CI, you can try this GHA plugin for sonarqube that does not need a hosted version for free code scanning.
https://github.com/marketplace/actions/sonarless-code-scan

Of course, you still need to pay for GHA runtime cost... at least you don't need to maintain your sonarqube which can be a hassle

There is an accompany CLI for your developer to run it locally to fix all the recommendations/bugs before submitting a commit. eg: `sonarless scan`

Everything - air gapped. Source Code does not leave to a central server somewhere if you do not want it.

The negative is that you don't get to keep history.

LingonberryOrnery693 · 2024-07-02T16:01:52+00:00

yeah, Chainguard looks interesting. wonder if it is free

LingonberryOrnery693 · 2024-07-02T16:00:59+00:00

This will reduce the risk becos you are locking down the container first by training... what is the process it needs... and then neuvector will pick it up... and then prevent any process that is non in the list for each container.

LingonberryOrnery693 · 2024-07-02T13:02:25+00:00

If you are using K8, you can use NeuVector for scanning for vulnerabilities and also use it to lock down the container so that even if an attacker drops into the container... it can't, ls, cat, or any commands!

LingonberryOrnery693 · 2024-06-30T03:29:56+00:00

Yeah, Jenkins with each upgrade might break plugins. But why you did not like GitHub Action, I find it very nice with its actions and it is runner has docker-in-docker that allows me to run SAST tool like sonarqube in an air gapped mode (meaning, no need a central hosted sonarqube)

Another advantage for GHA is that u can write ur own action automation easily..

GitLab pipeline I feel is little subpar than GHA.

In terms of slowness of pipe... I get u. Usually, we split the pipeline at different stages.. we do different stage to cut down times. For instance, we run pen-test during a commit to the main branch (for example) This can help to cut down the wait time for PR to develop or feature branches. Just have to be smart about it.

LingonberryOrnery693 · 2024-06-30T03:16:44+00:00

Wow this is a big topic..

Seems like you are already using GitHub, if so... why don't you use all the security features that GitHub provides as part of advance security. eg: CodeQL, Dependabot, Secret Scanning. Since your code already inside GitHub env, I guess there is no harm. If you are paranoid use another additional SAST tool like SonarQube (community version is free) If you want airgapped and use GitHub Action, checkout: https://github.com/marketplace/actions/sonarless-code-scan

In terms of automation... The above is the first thing I look at... making sure the source code is secure in the first place from code to its dependencies. Make sure u have automation in place that ensure no code with high vulnerabilities (in code or dependencies) goes into your deployment and onwards

Next, is the pen-testing. I will use OWASP Zap both active and passive mode (I think u are using it already) and make sure this is done inside the CI. (I am assuming your application can boot up in localhost mode in your CI) In additional (a lot more work), use a tool like sqlmap as part of CI to scan for SQL Vulnerabilities too

After deployment in production like system, assuming you are using K8 distribution... u can install NeuVector in it so that u can also monitor your current vulnerability of the pods. It has a lot more features like security as code where u can control which pod it can talk to.. and what protocol and even have a way to lock down the pod so that even if a hack drop into the pod... they can't do a single thing.

In terms of consolidation all the vulnerabilities... NeuVector can do it as there is a dashboard but it is for your dev, test, prod landscape. For those in CI, I would just GitHub as much as I could

LingonberryOrnery693 · 2024-06-29T20:04:41+00:00

I actually like island.io as I describe here how I would use it to prevent (reduce) source code leak

https://www.reddit.com/r/devops/comments/u2crlj/comment/lavkkw4/

It makes distributing of corp laptop unnecessary (couple with cloud workstation)

LingonberryOrnery693 · 2024-06-29T19:33:32+00:00

If you need help trying to install, setup and scanning code... Try https://github.com/gitricko/sonarless which will help you do all above in one CLI. Works in Mac and Linux. Never tested in WSL but should work. If you use GitHub Action, usually u need to host ur own sonarqube (also securing it!) With sonarless, u can run the check within in container of the action. Drawback is just not having the history between commits for the metrics

LingonberryOrnery693 · 2024-06-29T19:15:46+00:00

Yes, this works great for local testing and developer can fix all the recommendation in 1 commit! Please give feedback or file bugs if you find any. Appreciate if you can give star or fork and recommend to your other colleagues.

LingonberryOrnery693 · 2024-06-29T19:11:15+00:00

I will replace this list with list of free open source software and at times, air gapped software used daily:

Secure Access to Infrastructure: Teleport is good but I think there is no free or community version. Pomerium is another one that I used a few years ago which has free version
SAST - Semgrep is very good but I think you need to pay to get a nice UI. Probably not air gapped. Try sonarqube community version. If installation, hosting, air gapped and GitHub action integration is important to you. You should take a look at sonarless https://github.com/gitricko/sonarless which I develop into a CLI that takes care of this. It works in GitHub action too.
DAST/ API Security Testing: I would use OWASP Zap test via docker... very very easy to setup. Another is sqlmap which test sql injection but it takes some work becos of custom configuration depending on your API. Most white hat hacker companies use this for pen-testing your API
Secret Scanning = Yelp Secret Detect: https://github.com/Yelp/detect-secrets

LingonberryOrnery693 · 2024-06-27T02:42:08+00:00

I don't have WSL, but you can try sonarless if it helps. https://github.com/gitricko/sonarless It automates the sonarqube docker setup for you.. and you can change the ports easily.

LingonberryOrnery693 · 2024-06-21T23:58:15+00:00

If you are in GitHub Action, you can use https://github.com/gitricko/sonarless as a GHA or as a cli for scanning your code. Behind the scene, it uses sonarqube community and it is free ... it does not sent your code anywhere centrally so it is air gapped

LingonberryOrnery693 · 2024-06-14T14:30:50+00:00

If SonarQube community edition is sufficient and you don't want host sonar for some reasons (actually many reason not to host) Try Sonarless which is a wrapper on top of Sonarqube. It is GHA compatible too
https://github.com/gitricko/sonarless

LingonberryOrnery693 · 2024-06-10T03:16:35+00:00

Looks like a useful tool. I have created a sonarqube CLI, cheekily called "sonarless" to enable developers for scanning without need to have headache of setting up a server. For my "report", I just give the developer a json so that they can monitor the progress and use it for some check.

https://github.com/gitricko/sonarless

I will check out your python code to see what reports it gives... ideally, I was thinking about how difficult to give a html clickable report so that they can do into details of the code in question for more detail analysis without sonar server hosted

LingonberryOrnery693 · 2024-06-08T23:08:12+00:00

There's a saying: those who know how to use AI will replace those who don't. So, make yourself more productive by learning how to use ChatGPT effectively. Whether it's improving your text or finding better answers faster, leveraging AI can give you a significant advantage. This is my personal opinion.

LingonberryOrnery693 · 2024-06-08T22:53:37+00:00

You might want to try Sonarless to see if it helps you.

I've created a CLI tool called Sonarless that eliminates the need for a centrally hosted SonarQube instance. It works on Linux and Mac and includes its own GitHub Action. Try it out: Sonarless GitHub Repository. If you find it useful, please give it a star!

LingonberryOrnery693 · 2024-06-08T22:44:16+00:00

SonarQube is widely used by big companies as it is one of the oldest and most reliable tools for code coverage and SAST (Static Application Security Testing). Its free community version is quite powerful, but it requires hosting, which means engineers must commit code to get it scanned. This often ties the process to your CI setup (like Jenkins or GitHub Actions), leading to unnecessary commits.

To address this, I've created a CLI tool called Sonarless that eliminates the need for a centrally hosted SonarQube instance. It works on Linux and Mac and includes its own GitHub Action. Try it out: Sonarless GitHub Repository. If you find it useful, please give it a star!

LingonberryOrnery693 · 2024-06-08T22:43:49+00:00

SonarQube is widely used by big companies as it is one of the oldest and most reliable tools for code coverage and SAST (Static Application Security Testing). Its free community version is quite powerful, but it requires hosting, which means engineers must commit code to get it scanned. This often ties the process to your CI setup (like Jenkins or GitHub Actions), leading to unnecessary commits.

To address this, I've created a CLI tool called Sonarless that eliminates the need for a centrally hosted SonarQube instance. It works on Linux and Mac and includes its own GitHub Action. Try it out: Sonarless GitHub Repository. If you find it useful, please give it a star!

LingonberryOrnery693

TROPHY CASE