DevSecOps Pipeline using free SAST, DAST and SCA tools
This GitHub Action runs Snyk, SonarCloud and ZAP on your repository to check for security issues and vulnerabilities in your code and your third-party dependencies.
This is provided by Snyk, all you need is a Snyk account and add the Snyk token as a secret.
This is provided by SonarCloud, the SaaS version of SonarQube, all you need is a SonarCloud account and add the Sonar token as a secret. Also need to create the to your repository root.
This is provided by ZAP, an open-source web proxy tool. We are only leveraging the Automated Scanning features of ZAP. You only need to point ZAP to scan the application once it is built.
SonarCloud GHA -
Snyk GHA -