From 8703d85b1f918925a661f80eb8bc124c27e0f854 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20Ma=CC=88der?= <michael.maeder@hefr.ch>
Date: Wed, 2 Apr 2025 16:00:22 +0200
Subject: [PATCH] add question4

---
 docs/questions-part4.md | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 docs/questions-part4.md

diff --git a/docs/questions-part4.md b/docs/questions-part4.md
new file mode 100644
index 0000000..2411829
--- /dev/null
+++ b/docs/questions-part4.md
@@ -0,0 +1,7 @@
+# Questions
+
+## Part 4
+
+- **Q4.1**: Often secrets are committed in a repository. Different research tools exist and help to detect this kind of dangerous forgotten credentials. Integrate a check in your pipeline for these kinds of problems. Have a look at <https://github.com/zricethezav/gitleaks>. What kind of leaked secrets can you find in the git repo? Did the tool not find something that it should have found? Why? What possibilities exist to prevent this kind of leakage?
+- **Q4.2**: Try to find any possible problems in our used libraries (e.g. flask). The `pyproject.toml` describes all the additional libraries used by the application. You can use a dependency scanning (have a look here: <https://docs.gitlab.com/ee/user/application_security/dependency_scanning/>) to see if all imported libraries are safe. Do you find any problems? Integrate the scanning in your pipeline.
+- **Q4.3 (optional)**: API Fuzzing (and other kinds of DAST) is described at this page: <https://docs.gitlab.com/ee/user/application_security/api_fuzzing/>. Choose one of the different description possibilities for your *calculator* API. Integrate it in your pipeline.