We'd like to arrange with the community that CI/SCA security scan tools are activated on upstream/ONF VOLTHA software repositories so that security requirements are met.
all relevant VOLTHA repositories covered by SCA/security tools inside the CI/CD pipeline
The tools may run with the flag "allow_failure: true" inside the CICD pipeline, meaning developers can push and build changes even though the tools report an issue.
The recommended list of security tools:
- Golang https://github.com/securego/gosec
- Python https://pypi.org/project/bandit/
- Java FindSecBugs|https://find-sec-bugs.github.io/