# Security tooling and processes

This page contains information on tools and processes we run within the Security
team.

If you want to document sensitive information, you can either:

- Store it in [Google Drive](https://docs.google.com/document/d/10oocqojeIM0uZpcOl6L76afDYj3-MLsFxRK2jhOg93E/).
- Add it to the `docs` folder in the [infrastructure repository](https://github.com/sourcegraph/infrastructure/tree/main/security/docs).
  This option is better for technical documentation.

## Processes

- [Blocking IPs in Cloudflare](https://docs.google.com/document/d/17FV8pjbJNrhAtW9lvGIbJ1jSkXe0mRw4ci7w0084RBE/edit#heading=h.jpz7uaphhdtk)

## SAST scanning

We use a combination of tools within the team to cover a number of different types
of vulnerability.

- We use [Checkov](./checkov.md) to scan our Terraform infrastructure.
- We use [Trivy](./trivy/index.md) to scan containers for issues with dependencies.
- We use [SonarCloud](./sonarcloud.md) to scan our code in `sourcegraph/sourcegraph` for vulnerabilities


<section class="h0Wrapper headingWrapper"><section class="h1Wrapper headingWrapper"><h1 id="security-tooling-and-processes"><a class="anchor" aria-hidden tabindex="-1" href="#security-tooling-and-processes"><span class="icon icon-link"></span></a>Security tooling and processes</h1>
<p>This page contains information on tools and processes we run within the Security
team.</p>
<p>If you want to document sensitive information, you can either:</p>
<ul>
<li>Store it in <a href="https://docs.google.com/document/d/10oocqojeIM0uZpcOl6L76afDYj3-MLsFxRK2jhOg93E/">Google Drive</a>.</li>
<li>Add it to the <code>docs</code> folder in the <a href="https://github.com/sourcegraph/infrastructure/tree/main/security/docs">infrastructure repository</a>.
This option is better for technical documentation.</li>
</ul>
<section class="h2Wrapper headingWrapper"><h2 id="processes"><a class="anchor" aria-hidden tabindex="-1" href="#processes"><span class="icon icon-link"></span></a>Processes</h2>
<ul>
<li><a href="https://docs.google.com/document/d/17FV8pjbJNrhAtW9lvGIbJ1jSkXe0mRw4ci7w0084RBE/edit#heading=h.jpz7uaphhdtk">Blocking IPs in Cloudflare</a></li>
</ul>
</section><section class="h2Wrapper headingWrapper"><h2 id="sast-scanning"><a class="anchor" aria-hidden tabindex="-1" href="#sast-scanning"><span class="icon icon-link"></span></a>SAST scanning</h2>
<p>We use a combination of tools within the team to cover a number of different types
of vulnerability.</p>
<ul>
<li>We use <a href="./checkov">Checkov</a> to scan our Terraform infrastructure.</li>
<li>We use <a href="trivy/">Trivy</a> to scan containers for issues with dependencies.</li>
<li>We use <a href="./sonarcloud">SonarCloud</a> to scan our code in <code>sourcegraph/sourcegraph</code> for vulnerabilities</li>
</ul></section></section></section>