Thank you for taking the time to read my query.
As a new FOD customer, we are looking into how is best to integrate FOD into our SDLC and was wondering if you could provide some insight.
At the moment we are looking at doing a scan per pull request, however, we are unsure how best to do so.
Based on our findings, we would have to create a new development release for every pull request. However, unless we manually do so, it appears that the only way to automate this via our CI is to utilise your API via a custom script.
Furthermore, there is the concern of how much time each release will take to finish scanning. Does the initial scan for a new release take longer than a subsequent scan for one that already exists?
Lastly, if a PR fails as a result of not meeting our FOD policy, would you expect a security lead/project manager to triage these findings before the developer responsible for the PR branch attempts to fix anything? Also since we know who created the PR, would it be possible to automate the vulnerability assignment process?
Please feel free to suggest otherwise.