SAST: CodeQL transition is ongoing, PRs to add corresponding workflows is ongoing. Veracode license will expire at the end of March, so everyone is encouraged to review their workflows to ensure a timely transition to CodeQL.
DAST: Invicti license will expire at the end of August and already exceeded the website limit. There will be no DAST tool required for the next Quality Gate.
Secret scanning
Gitguardian is currently set up, but Gitleaks is a potential successor.
Testing of Github secret scanning is still in progress.
TRG 8.0 has been published as a draft, adjustments as PR are warmly welcome.
An overarching issue for tracking the tool shifts was discussed, as it is necessary for proper planning by teams.
Teams need to estimate efforts to adjust Github workflows
The PR for the new Security TRG was discussed, which includes a new requirement of remediation of findings with medium severity, but not for the 25.05 release.
Concerns were raised about the need for additional planned team resources for triaging these issues, and it was suggested that the TRG should be finalized and teams made aware.
What are best-practices for scheduling security tools Action workflows, with every PR or another frequency?
The TRG claims at least once, this is mandatory baseline for all.
Best practice is more frequently, recommendations differ per tool (e.g. secret scanning for every PR, dependency scan on a weekly basis).
The trigger will be on push + on pull + scheduled - frequency depends on repositories activity, so the team has to decide.
Best practice recommendations will be published in the sig-security repository.