diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index b096c5bf..746c6f41 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,3 +1,4 @@ * @rbell517 @spanglerco @cameronwaterman -/.snyk @chris468 @cameronwaterman @BKnight760 @rbell517 @jattasNI @prestwick +/.snyk @ni/security-scanning-owners +/.wiz @ni/security-scanning-owners diff --git a/.wiz b/.wiz new file mode 100644 index 00000000..31f9213e --- /dev/null +++ b/.wiz @@ -0,0 +1,9 @@ +# Wiz Code global path exclusions for this repository. +# +# NOTE: Both /* and /**/* patterns are required per directory due to a known +# Wiz glob bug (WZ-81029) where /**/* does not match direct children of a +# directory. The /* pattern catches direct children while /**/* catches nested +# files. This duplication can be removed once the bug is fixed. + +ignore: + global_paths: {} diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index d8b3f021..2cff0378 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -92,33 +92,11 @@ pytest -m enterprise --enterprise-uri "https://test-api.lifecyclesolutions.ni.co It is important to note that depending on the terminal you are using, you may need to escape special characters in the API key. -## Security scanning with Snyk - -This repository uses [Snyk](https://snyk.io/) for security scanning to identify and -fix vulnerabilities in code before they reach production. Snyk provides Static -Application Security Testing (SAST) that scans your code for security issues as -you develop. - -- **IDE integration**: Install the Snyk extension for - [Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=snyk-security.snyk-vulnerability-scanner) - or - [Visual Studio](https://marketplace.visualstudio.com/items?itemName=snyk-security.snyk-vulnerability-scanner-vs-2022) - to get real-time security feedback while writing code. To suggest the Snyk - extension to contributors, add `.vscode/extensions.json` or `.vsconfig` files - to your project root. The VSCode Snyk extension has a richer feature set and - is the preferred IDE for working with Snyk. -- **Pull request scanning**: Snyk automatically scans PRs and posts comments for - high/critical vulnerabilities. -- **Post-merge monitoring**: Automated bugs are created for unresolved issues - after code is merged. - -**Contributors within NI/Emerson**: For detailed guidance on working with Snyk, -including how to address security issues and create ignore records, see the -[Snyk reference](https://dev.azure.com/ni/DevCentral/_wiki/wikis/Stratus/146862/Snyk-reference). - -**Contributors outside of NI/Emerson**: If you are having issues resolving a -vulnerability Snyk identifies on your PR, consult with a code owner to understand -your options for resolution. +## Security scanning + +**Contributors within NI/Emerson**: See the [security scanning reference](https://dev.azure.com/ni/DevCentral/_wiki/wikis/Stratus/160265/Security-scanning-reference) for information on security scanning tools, workflows, and best practices. + +**Contributors outside of NI/Emerson**: If you are having issues resolving a vulnerability identified on your PR, consult with a code owner to understand your options for resolution. ## Developer Certificate of Origin (DCO)