diff --git a/.circleci/config.yml b/.circleci/config.yml index e7729692e..de175e199 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,7 +1,7 @@ version: 2.1 orbs: - security-hunter: akeneo-orbs/security-hunter@2.16.0 + security-hunter: akeneo-orbs/security-hunter@2.18.3 aliases: - &dockerExecutorWithPython @@ -40,9 +40,16 @@ workflows: checkout_code: false requires: - checkout-with-persist + - security-hunter/scan-pipeline-mutable-tags: + name: "secops/mutable-tags/scan" + context: SECOPS_SQUAD + checkout_code: false + requires: + - checkout-with-persist - build: requires: - secops/secrets/scan + - secops/mutable-tags/scan - workflow_success: requires: - build diff --git a/content/app-portal/publish-your-app.md b/content/app-portal/publish-your-app.md index 38f9b6305..73e714560 100644 --- a/content/app-portal/publish-your-app.md +++ b/content/app-portal/publish-your-app.md @@ -290,38 +290,16 @@ Because your app will either pull data from Akeneo to external services or push ### Security Publication Process -Before any app is accepted into our App Store, Akeneo's security team will perform a review of your app / organization. This security analysis can be carried out in several ways -- Code Scanning by Akeneo OR Security Audit performed on your end -- Security Questionnaire to fill +To ensure the safety of our ecosystem, all apps and organizations must pass a security review before joining the Akeneo App Store. We evaluate your security maturity through a questionnaire covering four core areas: -#### Code Scanning -The review will entail a source code scan of your integration to be submitted during the security review (see below). This scan will entail: - -- Source Composition Analysis to detect vulnerabilities on the dependencies your code is using. -- Secrets Scanning to detect potential secret management security flaws. -- OWASP Top 10-based Static Application Security Testing (SAST). -- Docker image vulnerability scanning if applicable. - -If a potential security issue is detected on your app during the tests, we'll notify you to help you quickly address the issue and help keep your users safe. - -::: warning -**Important**: In order to check the security of your app, you must deliver your app code to Akeneo. **Akeneo commits to not sharing your source code with any third party, and to deleting it once the scan has been completed**. -::: - -#### Proof of Security Audit - -If you performed a audit (web assessment or penetration test) on your integration during the last year, you can also provide an executive summary of the audit to replace the code scanning. - -#### Security Questionnaire - -The questionnaire is used to assess your level of maturity in terms of application security such as : -- Secure software development lifecycle (SDLC) measures & processes -- Vulnerability Management -- Company security policies & certifications +- Security in development +- Network security +- Observability & incident management +- Security policies & processes ### Submitting your app for the Security Review -To submit your App for the Security Review, please create a ticket [here](https://akeneo.atlassian.net/servicedesk/customer/portal/8/group/113). +To initiate your security review, please submit a request by creating a ticket [here](https://akeneo.atlassian.net/servicedesk/customer/portal/8/group/113). ## You must guarantee a certain level of service related to your app