Enhance scan workflow to detect repository technologies for vulnerability analysis #1
Description
Overview
The scan.yaml workflow currently only clones the repository but doesn't analyze it. We need to enhance it to detect and document the technologies used in the codebase.
Current State
The workflow in kestra/scan.yaml performs:
- GitHub App authentication via
get_auth_tokensubflow - Repository cloning using
io.kestra.plugin.git.Clone
Required Enhancements
1. Technology Detection
Add tasks to identify:
- Programming languages (Python, JavaScript, Java, Go, etc.)
- Frameworks (React, Django, Spring, Express, etc.)
- Package managers and dependency files (package.json, requirements.txt, pom.xml, go.mod, etc.)
- Database technologies
- Infrastructure/deployment tools (Docker, Kubernetes, etc.)
- CI/CD configurations
2. Dependency Extraction
Extract specific versions of:
- Core dependencies from package files
- Runtime versions from configuration files
- Third-party libraries and their versions
3. Output Structure
Store the detected information in a structured format (JSON/YAML) containing:
- List of technologies with versions
- Dependency tree
- Configuration files found
- Build/deployment setup
4. Integration Preparation
The output should be easily consumable by a subsequent vulnerability scanning flow that will:
- Search CVE databases for known vulnerabilities
- Check for outdated dependencies
- Identify common misconfigurations
- Find security exploits specific to detected technologies
Implementation Suggestions
- Use file pattern matching to detect technology indicators
- Parse package manager files to extract dependencies
- Leverage existing Kestra plugins or create custom scripts
- Output results as workflow outputs for downstream flows
Expected Outcome
A comprehensive technology profile that enables targeted vulnerability scanning in follow-up workflows.