Components that fetch the resources which you need to scan.
Clones any git repository. Can be on GitHub, BitBucket, GitLab, Azure etc.
Integrate with your GitHub PR and push events. Event-driven workflow executions.
Accepts a pURL argument belonging to one of the supported types and generates a dependency file relevant to the type.
Downloads an archive from an S3-compatible API.
Download a remote image from any registry.
Components that scan your resources and produce security alerts.
Static application security testing for Python source code.
Static code analysis for infrastructure as code. Finds misconfigurations that may lead to security or compliance problems. Policy as code.
Static code analysis tool for Elixir source code.
Github CodeQL - semantic static analysis for code.
Generates a CycloneDX SBOM from source code then sends to Dependency track.
Static code analysis scanner for the Elixir Phoenix Framework.
Scans third party dependencies of multiple languages.
Uploads CycloneDX SBOMs to Dependency Track.
Static analysis for infrastructure as code.
Static analysis for Go code vulnerabilities.
Dynamic application security scanner that analyses web applications for security issues.
Scan for vulnerabilities and misconfigurations in code repositories, binary artifacts, container images and Kubernetes clusters.
Scans dependencies for Go projects.
Static analysis and Software Composition Analysis for your code. Uses SonarQube Cloud.
Static analysis for source code.
Static analysis tool that can find insecure code patterns in your Android and iOS source code. Supports Java, Kotlin, Android XML, Swift and Objective C Code. Mobsfscan uses MobSF static analysis rules and is powered by semgrep and libsast pattern matcher. It scans code.
Static analysis tool that can find vulnerabilities in your Android and iOS applications. It scans packaged application files.
Components that enrich your security alerts with more details
and turn them into actionable events.
Identifies a code owner for each finding.
Adds context from deps.dev for each third-party dependency.
Adds relevant training resources to findings.
Performs a reachability check on a supplied repository using AppThreat/atom.
Compares multiple findings, removes duplicates and categorises them into issues, locations and vulnerabilities.
Adds knowledge base information (e.g. OWASP Cheat Sheets) to findings.
Enforces security policies defined in OPA for each finding.
Adds information to findings using a language model.
Deduplicates findings from multiple tools.
Adds custom annotations to instances.
Adds security standard information to findings using OpenCRE.
Enricher component that searches Exploit-DB and Github for PoCs of exploits related to a specific CVE
Components that consume and display your security alerts.
Generates a detailed report into a PDF and uploads it to an S3-compatible bucket.
Pushes findings to a DefectDojo vulnerability management instance.
Prints findings to stdout in JSON format.
Pushes short finding alerts to Slack.
Pushes short finding alerts to Discord.
Pushes finding details tickets to Linear.
Posts findings as comments on open Github Pull Requests.
Pushes finding details tickets to Jira.
Creates events to a Sentry project for vulnerability findings.
Pushes findings to a remote ElasticSearch.
Sends raw OCSF findings in proto format to a configured Kafka topic.