Klagarge/MSE-CyberSec-DevSecOps
1
0
Fork 0
Code Issues Pull Requests Releases Activity
Files
f6610ba524760ad24c4b49d63c48ed363340947c
MSE-CyberSec-DevSecOps/docs/questions-part4.md
Michael Mäder 8703d85b1f add question4
2025-04-09 16:33:58 +00:00

1.1 KiB
Raw Blame History

Questions

Part 4

  • Q4.1: Often secrets are committed in a repository. Different research tools exist and help to detect this kind of dangerous forgotten credentials. Integrate a check in your pipeline for these kinds of problems. Have a look at https://github.com/zricethezav/gitleaks. What kind of leaked secrets can you find in the git repo? Did the tool not find something that it should have found? Why? What possibilities exist to prevent this kind of leakage?
  • Q4.2: Try to find any possible problems in our used libraries (e.g. flask). The pyproject.toml describes all the additional libraries used by the application. You can use a dependency scanning (have a look here: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/) to see if all imported libraries are safe. Do you find any problems? Integrate the scanning in your pipeline.
  • Q4.3 (optional): API Fuzzing (and other kinds of DAST) is described at this page: https://docs.gitlab.com/ee/user/application_security/api_fuzzing/. Choose one of the different description possibilities for your calculator API. Integrate it in your pipeline.