Components that fetch the resources which you need to scan.
Clone a Git repository from a remote origin.
Accepts a pURL argument belonging to one of the supported types and generates a dependency file relevant to the type.
Downloads a remote archive from any S3 compatible URL.
This source component lets Smithy download a remote image from any registry.
Components that scan your resources and produce security alerts.
Static code analysis tool for Elixir.
Generate a CycloneDX SBOM from source code.
Secret scanner for repositories.
Sobelow scanner for the Elixir Phoenix Framework.
This scanner scans third party dependencies of multiple languages. Read more about what it does on the osv-scanner page
Generate a Dependency-Track report from source code.
SAST scanner that analyses Python source code to look for security issues.
Generate a KICS report from source code.
Analyse Go source code to look for security issues.
DAST scanner that analyses web applications for security issues.
Generate a Trivy report from a Docker image.
Dependency scanner for Golang projects.
Analyse your code with SonarQube Cloud.
Semantic code analysis with CodeQL.
Analyse source code using Semgrep to look for security issues.
MobSFscan is a static analysis tool that can find insecure code patterns in your Android and iOS source code. Supports Java, Kotlin, Android XML, Swift and Objective C Code. Mobsfscan uses MobSF static analysis rules and is powered by semgrep and libsast pattern matcher. It scans code.
MobSF is a static analysis tool that can find insecure code patterns in your Android and iOS source code. Supports Java, Kotlin, Android XML, Swift and Objective C Code. It can scan packaged application files.
Components that enrich your security alerts with more details
and turn them into actionable events.
Identifies a code owner for each finding.
Adds context from deps.dev for each third-party dependency.
Adds relevant training resources to findings.
Performs a reachability check on a supplied repository using AppThreat/atom.
Compares multiple inputs and removes duplicates.
Adds knowledge base information (e.g. OWASP Cheat Sheets) to findings.
Enforces security policies defined in OPA for each finding.
Adds information to findings using a language model.
Deduplicates findings from multiple tools.
Adds custom annotations to instances.
Adds security standard information to findings using OpenCRE.
Enricher component that searches Exploit-DB and Github for PoCs of exploits related to a specific CVE
Components that consume and display your security alerts.
Pushes findings to an S3 bucket as PDFs.
Pushes findings to a DefectDojo vulnerability management instance.
Prints findings to stdout in JSON format.
Pushes findings to a Slack channel.
Pushes findings to a Discord channel.
Pushes findings to a Linear ticket.
Opens findings as comments to the corresponding Pull Request on Github.
Pushes findings to a Jira instance.
Pushes findings to Sentry.
Pushes findings to an Elasticsearch database.