Whitespots Wiki
Login
  • Home
  • πŸ”¦Auditor
    • πŸ“₯Deployment
      • Installation
      • Update
    • 🎯Features
      • πŸš€Run Audit
        • AppSec Portal cooperation
        • Direct use of Auditor
      • βš™οΈSettings
        • AppSec Portal cooperation
        • Direct use of the Auditor
          • Cleaner
          • Docker Credentials
          • Workers
          • Personalization
        • Jobs
          • Technical Jobs
          • Scanner Jobs
          • Job configuration
    • πŸ—’οΈRelease notes
    • 🩼Maintenance
  • πŸ–₯️AppSec Portal
    • πŸ“₯Deployment
      • License obtaining
      • Installation
      • Get started with the AppSec Portal
        • Π‘onfiguration options
      • Update
      • Accessing the AppSec Portal API Endpoints
      • Database transfer guide
      • FAQ: typical errors in deployment process
    • βš™οΈPost install Configuration
    • 🎯Features
      • 🎣Auto Validator
        • Rule creation
        • Rules view
      • Deduplicator
        • βš™οΈBasic deduplicator rules
        • βš™οΈAdvance Deduplicator rules
      • πŸ”¦Vulnerability discovery
        • βœ”οΈAudits
        • βš™οΈAuditor settings
          • Auditor config
          • Sequences
            • Sequences creating
            • Sequences setting
        • πŸ”ŽRun audit
          • Run Audit Manually
          • Scheduled Audit Run
      • 🎯Recommendations
      • Security Metrics
        • Severity Statistics Dashboard
        • WRT (Weighted Risk Trend)
        • How to work with WRT (for team leads)
        • Metrics settings
          • SLA
        • CVSS
          • CVSS Rule
      • Custom Reports
      • πŸ“ˆActive tasks
      • 🧺Asset management
        • How to import repositories from version control
        • Default product
        • Adding a product asset
        • Asset Transfer Between Products
      • πŸ•·οΈFindings view
        • All findings view
        • Grouped findings as a result of
        • Grouping of findings into groups
        • Available bulk actions
        • Viewing specific findings
        • Usable filters and easy sorting
      • πŸ“ŠJira
        • Jira integration configuration
        • Setting up Jira webhook
      • πŸ‘ΎMove from DefectDojo
      • πŸ”¬Scanners
        • πŸ”ŒImporting reports from scanners to AppSec Portal
          • πŸ–οΈManual Import using Report File
          • Importing reports via Terminal using a Report File
          • Importing reports via Lambda Function using a Report File
        • Scanner description
          • Code Scanners
            • Bandit
            • Brakeman
            • Checkov
            • CodeQL
            • ESLint
            • Gemnasium
            • Gosec
            • Hadolint
            • KICS
            • PHPCodeSniffer
            • Retire.js
            • Semgrep
            • SpotBugs
            • Terrascan
          • Secret Scanners
            • Gitleaks
            • Trufflehog3
          • Image and code dependency Scanners
            • Trivy
            • Trivy vulners.com plugin
            • Snyk
          • Web Scanners
            • Arachni Scan
            • Acunetix
            • Burp Enterprise Scan
            • OWASP Zap
          • Infrastructure Scanners
            • AWS Security Hub Scan
              • Importing reports via AWS Lambda Function within AWS Security Hub
            • Prowler
            • Subfinder
            • Nessus
            • Nuclei
          • Mobile Security Scanners
            • MobSFScan
          • Other Scanners
            • Dependency-Track
            • Whitespots Portal
      • πŸ“¦Working with products
        • Product Creation
        • Product options
        • Finding groups
        • Risk assessment
        • Product Asset
    • πŸ› οΈGeneral Portal settings
      • Version Control Integration
      • Profile
      • Managing user roles and access control
        • User management
        • Creating and editing roles
      • SSO settings
        • GitLab SSO
        • Microsoft SSO
        • Okta SSO
      • Scanner settings
        • Auto Closer
        • Group findings by
        • Custom Jira description
        • Custom severity mapping
        • Auditor Job Config
      • Notification settings
        • Integration
        • Criteria & Schedule
        • Status change notification
        • Manage notification schedule
      • Repository Link Configs
      • CWE list
      • Tag screen
    • πŸ—’οΈRelease notes
  • To be described
    • Documentation backlog
Powered by GitBook
On this page

Was this helpful?

  1. AppSec Portal
  2. Features

Scanners

The AppSec Portal uses a variety of importers to integrate with popular scanners

PreviousMove from DefectDojoNextImporting reports from scanners to AppSec Portal

Last updated 9 months ago

Was this helpful?

To configure the scanner, please refer to the section.

Here are the details of each importer supported by AppSec Portal

Code scanners:

  • Bandit: imports scan results from , which is a tool for finding security issues in Python code. It checks Python code for common security issues such as hardcoded passwords, SQL injections, and more.

  • Checkov: imports scan results from , which is a tool for finding security issues in Infrastructure As Code. It provides static analysis of Terraform, CloudFormation, and Kubernetes code to identify misconfigurations and potential security issues.

  • CodeQL: imports scan results from , which is a tool for analyzing source code to find security vulnerabilities such as SQL injection, cross-site scripting (XSS), buffer overflows, and more.

  • ESLint: imports scan results from , which is a tool for finding security issues in JavaScript code. It checks JavaScript code for common security issues such as cross-site scripting (XSS), SQL injection, and more.

  • Gemnasium : imports scan results from , which is a tool that identifies vulnerabilities and security issues within project dependencies.

  • Gosec: imports scan results from , which is a tool for finding security issues in Go code. It helps identify potential security vulnerabilities in Go code.

  • Hadolint: imports scan results from , a Dockerfile linter that helps ensure Dockerfile syntax correctness, adherence to best practices, and identification of potential issues related to Docker image creation. It focuses on code quality and conformity to Dockerfile standards, aiding in the creation of secure and well-structured Docker images.

  • KICS: imports scan results from (Keeping Infrastructure as Code Secure), wich is designed to detect security vulnerabilities and policy violations in infrastructure-as-code (IaC) files.

  • PHPCodeSniffer: mports scan results from , wich is tokenizes PHP files and detects violations of a defined set of coding standards.

  • Retire.js: imports scan results from , a tool designed to analyze JavaScript code for deprecated and vulnerable libraries and dependencies. It focuses on identifying outdated or known vulnerable components within JavaScript code, contributing to the enhancement of web application security.

  • Semgrep: imports scan results from , which is a tool for finding security issues in code. It provides static analysis of code in various languages and helps identify potential security vulnerabilities.

  • SpotBugs: imports scan results from which analyses Java source code for potential security, efficiency, and programming style issues.

  • Terrascan: imports scan results from , which is a tool for finding security issues in Terraform code. It helps identify potential security vulnerabilities in infrastructure as code.

Secret Scanners:

Image and code dependency scanners:

Web Scanners:

Mobile Scanners:

Infrastructure scanners:

  • Nessus: is a leading vulnerability scanning tool developed by Tenable. It is used to identify and assess potential vulnerabilities in systems and networks, helping organisations strengthen their cyber security.

Other scanners:

  • Applications, Libraries, Frameworks, Operating systems, Containers, Firmware, Files, Hardware, Services

Gitleaks: imports scan results from , which is a tool for finding secrets and sensitive information in Git repositories. It helps identify hard-coded secrets in Git repositories that are accidentally committed by developers.

Trufflehog3: imports scan results from , which is a tool for finding secrets and sensitive information in code repositories. Trufflehog3Importer converts the scan results into a format that can be easily understood by AppSec Portal.

Trivy: imports scan results from , which is a tool for finding security issues in Docker images and code repositories.

Vulners Trivy: imports scan results from plugin.

Arachni: imports scan results from , which is a tool for scanning modern web applications for a variety of vulnerabilities including SQL injection, cross-site scripting, file inclusion, and more.

Acunetix : imports scan results from , a scanner designed to detect vulnerabilities in web applications.

Burpsuit: imports scan results from , which is a tool for automated web application security testing and vulnerability scanning.

OWASP Zap: is responsible for importing scan results from , wich is a security testing tool focused on web application vulnerabilities, including SQL injection, cross-site scripting (XSS), and more.

Mobsfscan: is a security testing tool focused on mobile application vulnerabilities. is based on Semgrep with custom rules from MobSF group

AWSSecurity: imports scan results from , which is a powerful tool designed to analyze and identify potential security vulnerabilities in AWS environments. With this importer, you can seamlessly integrate AWS Security Hub scan results into the AppSec Portal, allowing for centralized management and comprehensive visibility of your security posture within the AWS ecosystem.

Nuclei: imports scan results from , which is a tool for finding security issues in web applications.

Prowler: is responsible for importing scan results from the . Prowler is a security scanning tool specifically designed to assess the security of Amazon Web Services (AWS) environments.

Subfinder: imports scan results from . Subfinder is a subdomain discovery tool used to identify subdomains associated with a target domain or web application. It assists in gathering critical information during enumeration phases of security assessments and penetration testing.

Dependency-Track: imports result from platform. Component support for:

Snyk: imports result from tool. Snyk is a platform that allows you to scan, prioritize, and fix security vulnerabilities in your code, open-source dependencies, container images, and infrastructure as code configurations.

Whitespots Portal : imports results with parser. Processes the data that the user has specified in the scanner report.

πŸ–₯️
🎯
πŸ”¬
Importing reports from scanners to AppSec Portal
scanner settings
Bandit Scanner and GitLab Bandit scanner
Checkov Scanner
CodeQL Scanner
ESLint Scanner and GitLab ESLint
GitLab Gemnasium Scanner
Gosec Scanner
Hadolint Dockerfile Check Scanner
GitLab KICS Scanner
PHPCodeSniffer
Retire.js Scanner
Semgrep scanner and GitLab Semgrep scanner
SpotBugs scanner
Terrascan Scanner
Gitleaks Scanner and GitLab Gitleaks Scanner
Trufflehog3 Scanner
Trivy Scanner
Trivy Scanner with vulners.com
Arachni Scanner
Acunetix
BurpSuit Enterprise scanner
GitLab OWASP Zap Scanner
This scanner
AWS Security Hub Scan
Nuclei Scanner
Prowler Scanner
Subfinder Scanner
Dependency-track
Snyk
Whitespots Portal