Topic Leader(s)
Topic Overview
Static scanning is regularly performed on LFN repositories. Unfortunately they only detect potential explicit issues. Most of the projects include their code within a broader context which includes lots of possible dependencies. Hosting and redistributing docker containers have consequences in legal issues. We must have a better control of what we are distributing. Dynamic scanning is then needed. Some tools are available and a feedback shall be given as soon as possible as close as possible in the build chain. Alexander Mazuruk worked on a PoC in ONAP invoving tern+dockviz, the goal would be to include such verification on any docker build jobs
