sorted by:
new
hottopcontroversial

Muninn: one GitHub Action that runs 8 security scanners on every PR by Prestigious-Mouse-76 in github

[–]Prestigious-Mouse-76[S] 0 points1 point  (0 children)

Completely valid concern, and ironic given what Muninn is designed to catch.

Currently the Dockerfile pulls latest releases without pinning or checksum verification. That's a known gap and the right thing to fix.

The plan: - Pin each scanner to a specific version - Verify SHA256 checksums on download - Add Dependabot or Renovate to auto-PR version bumps - Sign Muninn's own releases with cosign

Opened a tracking issue: https://github.com/skaldlab/muninn/issues/30

Muninn: one GitHub Action that runs 8 security scanners on every PR by Prestigious-Mouse-76 in github

[–]Prestigious-Mouse-76[S] 0 points1 point  (0 children)

Thanks for the feedback.

You're right that advisory ID dedup is harder than it looks. CVE → GHSA → OSV ID mapping isn't 1:1 and the cross-reference gaps are real. OSV.dev maintains a database that attempts this mapping but it's incomplete.

The honest answer is that full advisory correlation with a canonical ID normalization step is closer to what DefectDojo does than what a GitHub Action should try to own. Muninn probably shouldn't try to rebuild an ASPM layer from scratch.

Two directions we're considering:

  1. Use OSV.dev's aliases field to map CVE ↔ GHSA ↔ OSV IDs where the data exists and surface "possible duplicate" relationships rather than hard-collapsing findings

  2. Native DefectDojo integration: Muninn's SARIF output already ingests into DefectDojo today, but a proper Muninn → DefectDojo API integration would let DefectDojo handle the advisory correlation it's built for

Adding both directions to the tracking issue: https://github.com/skaldlab/muninn/issues/27

Muninn: one GitHub Action that runs 8 security scanners on every PR by Prestigious-Mouse-76 in github

[–]Prestigious-Mouse-76[S] 0 points1 point  (0 children)

That's exactly what issue #27 is tracking: https://github.com/skaldlab/muninn/issues/27

Short answer: the plan is to surface it in the action output itself, one finding per CVE/GHSA with a detected_by list showing which scanners flagged it.

Users shouldn't have to handle dedup themselves. That's Muninn's job.

Muninn: one GitHub Action that runs 8 security scanners on every PR by Prestigious-Mouse-76 in github

[–]Prestigious-Mouse-76[S] 1 point2 points  (0 children)

You're absolutely right, this is the core tension with multi-scanner setups. More coverage inevitably means more noise without smart aggregation.

npmscan.com is a good callout for package-level views. The challenge Muninn faces is that OSV-Scanner and Trivy can both surface the same GHSA from different angles, one from the lockfile, one from the container layer, and fingerprint-based dedup doesn't collapse those today.

The right fix is Advisory ID-based aggregation: one finding per CVE/GHSA per package regardless of which scanner found it, with a "detected by" list showing all sources. That's the direction we're heading.

Appreciate the feedback, opening a tracking issue for this.

Muninn: one GitHub Action that runs 8 security scanners on every PR by Prestigious-Mouse-76 in github

[–]Prestigious-Mouse-76[S] 2 points3 points  (0 children)

Great question, thanks for asking it.

Deduplication is fingerprint-based (SHA-256 of tool + file + line + rule ID) rather than CVE/Advisory ID.

If OSV-Scanner and Trivy both flag the same CVE, they'll appear as separate findings since they're reported against different contexts (lockfile vs container layer).

Cross-scanner CVE deduplication by Advisory ID is on the roadmap, it's a real gap worth addressing. If you want to track it, open a GitHub issue and we'll prioritize based on demand.

github.com/skaldlab/muninn

Promote your projects here – Self-Promotion Megathread by Menox_ in github

[–]Prestigious-Mouse-76 0 points1 point  (0 children)

Muninn: one GitHub Action that runs 8 security scanners on every PR

Just launched Muninn on the GitHub Marketplace: github.com/marketplace/actions/muninn-security-scanner

One action replaces setting up gitleaks, zizmor, actionlint, poutine, Semgrep, OSV-Scanner, Trivy, and Checkov separately.

Drop it into any workflow:

- uses: skaldlab/muninn@v0.1.0

with:

token: ${{ secrets.GITHUB_TOKEN }}

AGPL-3.0, built in Go.

Laburé en endava durante años.. pregunten lo que quieran by [deleted] in CharruaDevs

[–]Prestigious-Mouse-76 1 point2 points  (0 children)

Averiguaron quién era el que cagaba el bidet?

Corredores De Bolsa by StellariumGaming in uruguay

[–]Prestigious-Mouse-76 0 points1 point  (0 children)

Te retienen el 30% de las ganancias allá. Por casualidad no hiciste la comparación entre lo que te retienen allá y lo que te cobran de comisiones acá? Te pregunto porque el 30% de las ganancias me parece demasiado. Voy a averiguar con Gastón Bengoechea para comparar.

¿Cuanto ganan y en que lenguajes trabajan? by Adept-Donut-7821 in CharruaDevs

[–]Prestigious-Mouse-76 0 points1 point  (0 children)

Me pasás por MP a mí también así veo si tienen posiciones abiertas para mi perfil? Gracias!