Regular (at least annual) penetration tests by third-party providers
- Immediate correction of any identified critical vulnerabilities
- CI/CD pipeline includes:
- SAST (Semgrep)
- Dependency scanning (Gemnasium)
- Container scanning (Trivy)
- Secret detection (Gitleaks)
- License scanning (License Finder)
- SonarQube code analysis
- Runtime scanning of application workloads
- Results are not publicly shared, but a security statement certificate may be provided upon request and execution of a Non-Disclosure Agreement
Related to