feature - Proposal to Add Nancy for Vulnerability Scanning in Golang Dependencies

[karanngi]

Reason/Context

We need this improvement to ensure the security of our Golang dependencies. Vulnerabilities in dependencies are a common security risk, and adding Nancy to our workflow will help us identify and address these issues early.

Description

We should consider adding Nancy to our workflow for scanning vulnerabilities in Golang dependencies. It's widely used in CNCF projects and can help identify security risks early, improving the overall security of our codebase. I'd love to hear your thoughts on this.

https://github.com/sonatype-nexus-community/nancy

// @yada @lbroudoux

Implementation ideas

No response

[github-actions]

👋 @karanngi

Welcome to the Microcks community! 💖

Thanks and congrats 🎉 for opening your first issue here! Be sure to follow the issue template or please update it accordingly.

📢 If you're using Microcks in your organization, please add your company name to this list. 🙏 It really helps the project to gain momentum and credibility. It's a small contribution back to the project with a big impact.

If you need to know why and how to add yourself to the list, please read the blog post "Join the Microcks Adopters list and Empower the vibrant open source Community 🙌"

Hope you have a great time there!

[devznsh]

@lbroudoux @yada I can integrate Nancy to the workflow
can you assign this issue to me ?

In my opinion Trivy is a better choice though as its extensive coverage and ease of integration.

[lbroudoux]

Hey there! No assignation. Push a PR and we'll review.

[devznsh]

Pushed a PR, please review it @yada @lbroudoux

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity 😴

It will be closed in 30 days if no further activity occurs. To unstale this issue, add a comment with a detailed explanation.

There can be many reasons why some specific issue has no activity. The most probable cause is lack of time, not lack of interest. Microcks is a Cloud Native Computing Foundation project not owned by a single for-profit company. It is a community-driven initiative ruled under open governance model.

Let us figure out together how to push this issue forward. Connect with us through one of many communication channels we established here.

Thank you for your patience ❤️

[lbroudoux]

Just a newbie question here: is Nancy providing more details/informations than the standard Dependabot/GitHub vulnerabilities scanning? Or is it adding another level of security scanning?