Files

T

Antigravity Agent 504fd5fb42 [G1-Sync] Manual knowledge update

2026-05-10 22:08:15 +09:00

4.4 KiB

Raw Blame History

id, title, category, status, canonical_id, aliases, duplicate_of, source_trust_level, confidence_score, verification_status, tags, raw_sources, last_reinforced, github_commit, tech_stack

title

SCA

매 한 줄

"매 your code 의 1% 의 yours — 매 99% 의 dependencies 의". SCA (Software Composition Analysis) 의 third-party / OSS dependencies 의 scanning 의 known CVEs, license issues, malicious packages 의 detecting 의. 2026 의 SBOM (CycloneDX/SPDX) 의 mandatory 의 — 매 EU CRA, US EO 14028 의 driving.

매 핵심

매 SCA 의 stack

manifest scan: package-lock.json, Cargo.lock, go.sum 의 → CVE DB lookup.
OSV.dev (Google): 매 unified vuln DB across ecosystems.
GitHub Advisory DB: 매 npm-aware, 매 Dependabot 의 backbone.
Snyk DB: commercial, 매 deeper exploit metadata.

매 SBOM 의 formats

CycloneDX (OWASP): JSON/XML, 매 vuln-friendly.
SPDX (Linux Foundation): license-friendly.
2026 default: CycloneDX 1.5+ JSON.

매 응용

PR gate — 매 new high CVE 의 introduce 의 block.
SBOM 의 release artifact 의 attached 의 (sigstore signed).
Renovate/Dependabot 의 weekly bump PRs.

💻 패턴

Dependabot config

version: 2
updates:
  - package-ecosystem: npm
    directory: /
    schedule: { interval: weekly }
    groups:
      minor-and-patch:
        update-types: [minor, patch]
    open-pull-requests-limit: 10
  - package-ecosystem: github-actions
    directory: /
    schedule: { interval: monthly }

Renovate 의 group + auto-merge

{
  extends: ['config:base', ':semanticCommits'],
  packageRules: [
    {
      matchUpdateTypes: ['patch', 'minor'],
      matchCurrentVersion: '!/^0/',
      automerge: true,
      automergeType: 'pr',
      platformAutomerge: true,
    },
    { matchPackagePatterns: ['^@types/'], groupName: 'types' },
  ],
  vulnerabilityAlerts: { enabled: true, labels: ['security'] },
}

CycloneDX SBOM 의 generate (npm)

npx @cyclonedx/cyclonedx-npm --output-format json --output-file sbom.json
cosign sign-blob --yes sbom.json --output-signature sbom.sig

OSV-Scanner (Go)

name: OSV
on: [pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: google/osv-scanner-action@v1
        with:
          scan-args: |-
            --lockfile=package-lock.json
            --lockfile=go.sum
            --format=sarif
            --output=osv.sarif
      - uses: github/codeql-action/upload-sarif@v3
        with: { sarif_file: osv.sarif }

License gate

npx license-checker --production --excludePackages="$(cat allowed.txt)" \
  --failOn 'GPL-3.0;AGPL-3.0' --json > licenses.json

Malicious package 의 detect (Socket-style)

- name: Socket Security
  uses: SocketDev/socket-security-action@v1
  with: { api-token: ${{ secrets.SOCKET_TOKEN }} }

매 결정 기준

상황	Tool
GitHub repo, 매 free	Dependabot + OSV-Scanner
polyrepo enterprise	Snyk + Renovate
supply-chain risk (typosquats)	Socket + Snyk
compliance (FedRAMP, EU CRA)	CycloneDX SBOM + cosign sign

기본값: Renovate + OSV-Scanner + CycloneDX SBOM (signed).

🔗 Graph

부모: DevSecOps · Supply Chain Security
변형: SAST · DAST · Container Scanning
응용: SBOM · Sigstore · SLSA
Adjacent: Dependabot · Renovate · Snyk

🤖 LLM 활용

언제: vuln triage (exploitability scoring), changelog summarization for upgrades, breaking-change detection in PRs. 언제 X: auto-merging high-CVE patches 없이 의 review.

❌ 안티패턴

Pin everything forever: 매 stale deps 의 더 vulnerable.
Auto-merge majors: 매 breaking change 의 prod 의 escape.
No SBOM: 매 incident response 의 grep 의 시작 — 매 too late.
Scan only on release: 매 dev branch 의 weeks of exposure.

🧪 검증 / 중복

Verified (OSV.dev docs, CycloneDX 1.5 spec, GitHub Dependabot 2026, Renovate docs).
신뢰도 A.

🕓 Changelog

날짜	변경
2026-05-08	Phase 1
2026-05-10	Manual cleanup — modern SCA + SBOM patterns

4.4 KiB Raw Blame History

SCA