1.   Purpose

The purpose of this document is to explain the types of DevSecOps scans and how those scans will identify the potential security threats or the vulnerabilities in the code that is built in the application docker container that gets deployed in the GKE / AKS / EKS cluster.

2.   SCOPE

This document explains how the Open-Source dependency package Scanning works .

– > Open-Source packages Dependency Check Scan for the Code build.

3.   OWASP Dependency-Check Scan

Dependency-Check scan is a type of scan which detects vulnerabilities in the open-source packages that are downloaded to build the application code.

– > Adding script for performing the code-scanning.

Below is the link where you will find all versions to scan your application codes

https://github.com/jeremylong/DependencyCheck/releases

step 1: install the latest version zip file of dependency-check

https://github.com/jeremylong/DependencyCheck/releases/download/v8.1.0/dependency-check-8.1.0-release.zip

step2: unzip

step3 : then execute below command , that will scan all jar files of your code

dependency-check/bin/dependency-check.sh — scan  ‘*.jar’– project “<project name>” -o “<in which file you want to store output>”

You can store output in HTML/JSON/XML as OWASP supports so many extensions.

Once below command is executed, the tool will scan the vulnerabilities in the code and generate a report in HTML, JSON or XML format.

HTML Report of Application code