What is LFX Security?
LFX Security serves as an “aggregation view” where we pull in security details from multiple sources to provide a “snapshot” or “overview” of sorts.
How does security scan branches by default?
By default, LFX Security configures our vendors to scan the “default” branch as specified in the GH repository settings.
Can vendors scan other branches?
Our vendors can scan other branches, but we have not brought that configurability to our portal.
Who conducts vulnerabilities scanning?
Snyk, conducts our vulnerabilities scanning and can be configured to scan any branch. If the community members want scanning on specific branches (or all branches), then we recommend they incorporate Snyk as part of their normal CI/CD process to identify and “catch” vulnerabilities early the in the development lifecycle (e.g. when the pull request is created).
Who conducts code secrets and non-inclusive word/language scanning?
BluBracket, scans our code secrets and non-inclusive word/language and has the ability to scan all branches and all history since the beginning of the repository’s life. Soon, they will have an API which will allow us to specify which branch we want to showcase in our portal. Until then, we use their default results. They also provide a scanner for the CI/CD tooling/process. Community members are encouraged to use it as well.