How to integrate static security scanners with woodpecker ci?

[moonmanious]

How do we integrate snyk or veracode or any similar security tools that analyze codes to ci pipelines? Developers commit code and code analyzed for vulnerabilities.

[anbraten]

This is the config woodpecker uses itself for using trivy: https://github.com/woodpecker-ci/woodpecker/blob/main/.woodpecker/securityscan.yml

[moonmanious]

If we want to use another sast or dast do we need to change the "variables" & "image"? Doesn't look straightforward because snyk e.g. requires a token, so where do we put it?
The issue is that trivy doesn't scan the code that the developers just wrote themselves. It would detect if an image has vulnerabilities e.g. and detect any leaked secrets. What about developers forgetting to sanitize input. Snyk detects that.

[qwerty287]

You just need a docker image that contains the snyk binary (or any other tool you want to use) and run this binary using the commands section. For tokens you can use secrets.