...
https://github.com/hyperledger/besu/security/dependabot
LGTM
running on PRs
CodeQL analysis
This doesn't provide anything better than sonar cloud.
Running on main3324And it took 19 minutes https://github.com/hyperledger/besu/runs/4933198025?check_suite_focus=true
Trivy
Teku uses Trivy, and scans the develop docker images. So scan results only include runtime dependencies not build or test dependencies. See https://github.com/ConsenSys/teku/blob/master/.circleci/config.yml
...
Useful but we don't want to gate PRs on this.
There is also a homebrew option
Maven central
Maven central does an ok job of pointing out some CVEs https://mvnrepository.com/artifact/org.hyperledger.besu.internal/eth/21.10.6
...