Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This is a great feature! The company I work for has spent a lot of money trying to use Snyk for this purpose, but it really sucks, and chokes on most of our Go repos go.mod files meaning some of our most important repositories are blind for vulnerability scanning.

We don't get the static code analysis feature from Snyk (where vulnerabilities are raised only when they affect us), because this is an optional paid extra. Now we get it for free!

Snyk really need to up their game with their lacklustre Go support to compete with free.



Note: I run a vuln scanning company in this space (our GitHub[0]), so I can add some context to this.

GitHub has this for Dependabot via CodeQL which is a part of their "Advanced Security" package. ($$$, ie "contact us", but I've heard ~$1-1.5k per dev per year roughly)

Other big ones are SonaType, FOSSA, and Snyk (which OP mentioned). There are some smaller vendors too which I can add if anybody is curious.

GitHub CodeQL is by far the best and their tech comes from their acquisition of Semmle/LGTM a few years ago. When I was at Uber, we used Semmle to augment the efforts of the bug bounty and to "scale" our AppSec team to keep up with an ever growing engineering team.

The lack of flexibility with CodeQL and the other proprietary scanning tools is actually the reason why, when I decided to start a security company, I decided to center the company around building publicly on GitHub.

It's harder to make money, at least initially, but it's also the "right" choice to actually push this industry forward. (The thought on how to make money is a hosted SaaS, of course.)

Anyway, I'm happy to answer any questions around this stuff!

0: https://github.com/lunasec-io/lunasec




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: