Select and implement license and vulnerability scanning tools

Problem:

To ensure supply chain license compliance and monitor dependency security vulnerabilities, software artifacts should be scanned with the appropriate tools.

Goal:

• Ensure supply chain license complicance
• Ensure dependencies are free of security vulnerabilities

ACs:

• Several tools are evaluated
  • trivy - already used by FIT-Connect
  • snyk
  • Mend
    • if this is used, check synergy with renovate
  • wiz.io
  • Kubescape
    • check if part of this tickets scope
    • it would add to and not replace other scanning tools
  • OWASP Dependency Check
  • others?
• An ADR is created that details the selected tool -> solution-architecture!8
• The application bootstrap template CI workflow is configured with the tool -> matrix-g2c-pilot-project-template!9
  • Reference the ADR from the template repo README or similar
  • NEW: dependency update issues are monitored
  • NEW: license issues are monitored