Harbormaster Integrated Security & Compliance
Security and compliance are crucial and there is no better place to consider both than from the start. Harbormaster ensures the projects it generates utilize the latest secure dependencies.
A software project naturally has external libraries it depends upon. Within the Harbormaster architecture, these dependencies are defined within the build process contained within a tech stack.
For instance, an Angular type tech stack will draw upon 3rd party NPM packages to help the resulting application accomplish its tasks. These libraries are outside are considered application dependencies and therefore introduce the possibility of vulnerabilities and compliance violations.
How It Works
To maximize the security of any application resulting from Harbormaster Project Generation, each tech stack published to the platform is checked weekly. Checking a tech stack involves generating a project using a generic model, CircleCI as the CI/CD platform, an appropriate Dockerfile, and JFrog. The important of JFrog is that the JFrog Artifactory is used as the source of application dependencies along with the repository for storing the resulting Docker image. Also, JFrog Xray is used to scan the Docker image content for high level security vulnerabilities and violations. If any are discovered, the tech stack author (e.g. firstname.lastname@example.org, email@example.com, etc..) is notified via email with the report provided from JFrog. Importantly, the Harbormaster Platform notifies the creator of any prior projects generated with that tech stack.