maibornwolff / secobserve Goto Github PK

SecObserve is an open source vulnerability management system for software development and cloud environments. It supports a variety of open source vulnerability scanners and integrates easily into CI/CD pipelines.

Home Page: https://maibornwolff.github.io/SecObserve/

License: BSD 3-Clause "New" or "Revised" License

Python 68.92% Smarty 0.25% Dockerfile 0.75% Shell 1.03% JavaScript 0.13% TypeScript 28.43% HTML 0.49%

devsecops security-automation security-tools shiftleft

secobserve's Introduction

SecObserve

SecObserve is an open source vulnerability management system for software development teams that supports a variety of open source vulnerability scanners and integrates easily into CI/CD pipelines. It gathers results about potential security flaws from various vulnerability scanning tools and makes them available for assessment and reporting.

Overview

The aim of SecObserve is to make vulnerability scanning and vulnerability management as easy as possible for software development projects using open source tools. It consists of 2 major components:

Vulnerability management system SecObserve: SecObserve provides the development team with an overview of the results of all vulnerability scans for their project, which can be easily filtered and sorted. In the detailed view, the results are displayed uniformly with a wealth of information, regardless of which vulnerability scanner generated them.

With the help of automatically executed rules and manual assessments, the results can be efficiently evaluated to eliminate irrelevant results and accept risks. This allows the development team to concentrate on fixing the relevant vulnerabilities.
GitLab CI templates and GitHub actions: Integrating vulnerability scanners into a CI/CD pipeline can be tedious. Each tool has to be installed differently and is called with different parameters. To avoid having to solve this task all over again, there are repositories with GitLab CI Templates and GitHub Actions. These make the process of integrating vulnerability scanners very simple by providing uniform methods for launching the tools and uniform parameters. The tools are regularly updated in the repositories so that the latest features and bug fixes are always available.

All templates run the scanner, upload the results into SecObserve and make the results of the scans available for download as artefacts in JSON format.

The sources of the GitHub actions and GitLab CI templates can be found in https://github.com/MaibornWolff/secobserve_actions_templates.

Documentation

The full documentation how to install and use Secobserve can be found here: https://maibornwolff.github.io/SecObserve/

Code of Conduct

Please note that this project is released with a Code of Conduct. By participating in this project you agree to abide by its terms.

Contributing

Please see the Contributing Guidelines for more information on how to get involved in the project.

License

SecObserve is licensed under the 3-Clause BSD License

secobserve's People

Contributors

Stargazers

Watchers

Forkers

uakbr l1kw1d dervoeti step-security-bot sthagen

secobserve's Issues

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Repository problems

These problems occurred while renovating this repository. View logs.

WARN: Found renovate config warnings

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

chore(deps): lock file maintenance

Detected dependencies

docker-compose

docker-compose-dev-mysql.yml

mysql 8.3.0

mailhog/mailhog v1.0.1

keycloak/keycloak 23.0.7

docker-compose-dev.yml

postgres 15.6-alpine

mailhog/mailhog v1.0.1

keycloak/keycloak 23.0.7

docker-compose-playwright.yml

mcr.microsoft.com/playwright v1.42.0

docker-compose-prod-mysql.yml

traefik v3.0

maibornwolff/secobserve-frontend 1.7.0

maibornwolff/secobserve-backend 1.7.0

mysql 8.3.0

docker-compose-prod-postgres.yml

traefik v3.0

maibornwolff/secobserve-frontend 1.7.0

maibornwolff/secobserve-backend 1.7.0

postgres 15.6-alpine

docker-compose-prod-test.yml

mysql 8.3.0

postgres 15.6-alpine

docker-compose-unittests.yml

dockerfile

docker/backend/dev/django/Dockerfile

python 3.12.1-alpine@sha256:14cfc61fc2404da8adc7b1cb1fcb299aefafab22ae571f652527184fbb21ce69

docker/backend/prod/django/Dockerfile

python 3.12.1-alpine@sha256:14cfc61fc2404da8adc7b1cb1fcb299aefafab22ae571f652527184fbb21ce69

docker/backend/unittests/django/Dockerfile

python 3.12.1-alpine@sha256:14cfc61fc2404da8adc7b1cb1fcb299aefafab22ae571f652527184fbb21ce69

docker/frontend/Dockerfile

node 20.11.1-alpine3.19@sha256:c0a3badbd8a0a760de903e00cedbca94588e609299820557e72cba2a53dbaa2c

nginxinc/nginx-unprivileged stable-alpine3.18@sha256:97a3b48ebd8af09d7963d24956a8b366761357764cfbed12856098ec5b4dd8b4

github-actions

.github/workflows/build_push_dev.yml

actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11

docker/setup-qemu-action v3.0.0@68827325e0b33c7199eb31dd4e31fbe9023e06e3

docker/setup-buildx-action v3.1.0@0d103c3126aa41d772a8362f6aa67afac040f80c

docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046d

docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56

docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56

MaibornWolff/secobserve_actions_templates a242f92f12e104d39593fd689e12b5a6135fc2e7

.github/workflows/build_push_release.yml

actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11

docker/setup-qemu-action v3.0.0@68827325e0b33c7199eb31dd4e31fbe9023e06e3

docker/setup-buildx-action v3.1.0@0d103c3126aa41d772a8362f6aa67afac040f80c

docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046d

docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56

docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56

MaibornWolff/secobserve_actions_templates a242f92f12e104d39593fd689e12b5a6135fc2e7

MaibornWolff/secobserve_actions_templates a242f92f12e104d39593fd689e12b5a6135fc2e7

.github/workflows/check_backend.yml

actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11

actions/setup-python v5.0.0@0a5c61591373683505ea898e09a3ea4f39ef2b9c

.github/workflows/check_frontend.yml

actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11

actions/setup-node v4.0.2@60edb5dd545a775178f52524783378180af0d1f8

.github/workflows/check_vulnerabilities.yml

actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11

MaibornWolff/secobserve_actions_templates a242f92f12e104d39593fd689e12b5a6135fc2e7

.github/workflows/generate_sboms.yml

actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11

stefanzweifel/git-auto-commit-action v5@8756aa072ef5b4a080af5dc8fef36c5d586e521d

.github/workflows/publish_docs.yml

actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11

actions/setup-python v5.0.0@0a5c61591373683505ea898e09a3ea4f39ef2b9c

actions/cache v4.0.0@13aacd865c20de90d75de3b17ebe84f7a17d57d2

.github/workflows/scorecard.yml

actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11

ossf/scorecard-action v2.3.1@0864cf19026789058feabb7e87baa5f140aac736

actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3

github/codeql-action v3.24.5@47b3d888fe66b639e431abf22ebca059152f1eea

npm

end_to_end_tests/package.json

@playwright/test 1.42.0

@types/node 20.11.23

frontend/package.json

@mui/icons-material 5.15.11

@mui/material 5.15.11

@types/inflection 1.13.2

@types/recharts 1.8.29

prop-types 15.8.1

query-string 9.0.0

react-admin 4.16.11

ra-i18n-polyglot 4.16.11

ra-input-rich-text 4.16.11

ra-language-english 4.16.11

react 18.2.0

react-dom 18.2.0

react-router 6.22.2

react-router-dom 6.22.2

tss-react 4.9.4

chart.js 4.4.2

react-chartjs-2 5.2.0

markdown-to-jsx 7.4.1

@fortawesome/fontawesome-svg-core 6.5.1

@fortawesome/free-solid-svg-icons 6.5.1

@fortawesome/free-brands-svg-icons 6.5.1

@fortawesome/react-fontawesome 0.2.0

axios 1.6.7

@textea/json-viewer 3.4.0

@emotion/react 11.11.4

@emotion/styled 11.11.0

runtime-env-cra 0.2.4

oidc-client-ts 3.0.1

react-oidc-context 3.0.0

@types/jest 29.5.12

@types/node 20.11.23

@types/prop-types 15.7.11

@types/react 18.2.61

@types/react-dom 18.2.19

rewire 7.0.0

typescript 5.3.3

@typescript-eslint/eslint-plugin 7.1.0

@typescript-eslint/parser 7.1.0

eslint 8.57.0

eslint-plugin-react 7.33.2

eslint-plugin-security 2.1.1

eslint-plugin-react-hooks 4.6.0

@microsoft/eslint-formatter-sarif 3.0.0

prettier 3.2.5

@trivago/prettier-plugin-sort-imports 4.3.0

vite 5.1.4

@vitejs/plugin-react 4.2.1

pip_requirements

backend/poetry_requirements.txt

poetry ==1.8.1

mkdocs_requirements.txt

mkdocs-material ==9.5.12

poetry

backend/pyproject.toml

python >= 3.10, < 3.13

django 4.2.10

django-environ 0.11.2

django-filter 23.5

django-csp 3.7

django-constance 3.1.0

django-encrypted-model-fields 0.6.5

argon2-cffi 23.1.0

whitenoise 6.6.0

djangorestframework 3.14.0

django-cors-headers 4.3.1

drf-spectacular 0.27.1

drf-spectacular-sidecar 2024.2.1

PyJWT 2.8.0

requests 2.31.0

pymysql 1.1.0

psycopg 3.1.18

defusedcsv 2.0.0

openpyxl 3.1.2

packageurl-python 0.14.0

huey 2.5.0

jira 3.6.0

inflect 7.0.0

validators 0.22.0

Werkzeug 3.0.1

ipdb 0.13.13

watchgod 0.8.2

flake8 7.0.0

flake8-isort 6.1.1

black 24.2.0

pylint-django 2.5.5

pre-commit 3.6.2

mypy 1.8.0

django-stubs 4.2.7

djangorestframework-stubs 3.14.5

types-PyMySQL 1.1.0.1

django-extensions 3.2.3

gunicorn 21.2.0

coverage 7.4.3

django-extensions 3.2.3

django-coverage-plugin 3.1.0

Check this box to trigger a request for Renovate to run again on this repository

CVSS 4.0

Tomorrow (1st of November) CVSS 4.0 will be published according to the details at https://www.first.org/cvss/v4-0/

What needs to be done to support this?

Suggestion: Add creation of CSAF VEX to distribute information about "irrelevant results"

The README says:

With the help of automatically executed rules and manual assessments, the results can be efficiently evaluated to eliminate irrelevant results and accept risks. This allows the development team to concentrate on fixing the relevant vulnerabilities.

As we already have the information from manual assessments, what about creating CSAF VEX from them?

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.

Jobs

Jooble