Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion .circleci/config.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
version: 2.1

orbs:
security-hunter: akeneo-orbs/security-hunter@2.16.0
security-hunter: akeneo-orbs/security-hunter@2.18.3

aliases:
- &dockerExecutorWithPython
Expand Down Expand Up @@ -40,9 +40,16 @@ workflows:
checkout_code: false
requires:
- checkout-with-persist
- security-hunter/scan-pipeline-mutable-tags:
name: "secops/mutable-tags/scan"
context: SECOPS_SQUAD
checkout_code: false
requires:
- checkout-with-persist
- build:
requires:
- secops/secrets/scan
- secops/mutable-tags/scan
- workflow_success:
requires:
- build
Expand Down
34 changes: 6 additions & 28 deletions content/app-portal/publish-your-app.md
Original file line number Diff line number Diff line change
Expand Up @@ -290,38 +290,16 @@ Because your app will either pull data from Akeneo to external services or push

### Security Publication Process

Before any app is accepted into our App Store, Akeneo's security team will perform a review of your app / organization. This security analysis can be carried out in several ways
- Code Scanning by Akeneo OR Security Audit performed on your end
- Security Questionnaire to fill
To ensure the safety of our ecosystem, all apps and organizations must pass a security review before joining the Akeneo App Store. We evaluate your security maturity through a questionnaire covering four core areas:

#### Code Scanning
The review will entail a source code scan of your integration to be submitted during the security review (see below). This scan will entail:

- Source Composition Analysis to detect vulnerabilities on the dependencies your code is using.
- Secrets Scanning to detect potential secret management security flaws.
- OWASP Top 10-based Static Application Security Testing (SAST).
- Docker image vulnerability scanning if applicable.

If a potential security issue is detected on your app during the tests, we'll notify you to help you quickly address the issue and help keep your users safe.

::: warning
**Important**: In order to check the security of your app, you must deliver your app code to Akeneo. **Akeneo commits to not sharing your source code with any third party, and to deleting it once the scan has been completed**.
:::

#### Proof of Security Audit

If you performed a audit (web assessment or penetration test) on your integration during the last year, you can also provide an executive summary of the audit to replace the code scanning.

#### Security Questionnaire

The questionnaire is used to assess your level of maturity in terms of application security such as :
- Secure software development lifecycle (SDLC) measures & processes
- Vulnerability Management
- Company security policies & certifications
- Security in development
- Network security
- Observability & incident management
- Security policies & processes

### Submitting your app for the Security Review

To submit your App for the Security Review, please create a ticket [here](https://akeneo.atlassian.net/servicedesk/customer/portal/8/group/113).
To initiate your security review, please submit a request by creating a ticket [here](https://akeneo.atlassian.net/servicedesk/customer/portal/8/group/113).

## You must guarantee a certain level of service related to your app

Expand Down