🔬Scanners

The AppSec Portal uses a variety of importers to integrate with popular scanners

To configure the scanner, please refer to the scanner settings section.

Here are the details of each importer supported by AppSec Portal

Code scanners:

  • Bandit: imports scan results from Bandit Scanner and GitLab Bandit scanner, which is a tool for finding security issues in Python code. It checks Python code for common security issues such as hardcoded passwords, SQL injections, and more.

  • Checkov: imports scan results from Checkov Scanner, which is a tool for finding security issues in Infrastructure As Code. It provides static analysis of Terraform, CloudFormation, and Kubernetes code to identify misconfigurations and potential security issues.

  • CodeQL: imports scan results from CodeQL Scanner, which is a tool for analyzing source code to find security vulnerabilities such as SQL injection, cross-site scripting (XSS), buffer overflows, and more.

  • ESLint: imports scan results from ESLint Scanner and GitLab ESLint, which is a tool for finding security issues in JavaScript code. It checks JavaScript code for common security issues such as cross-site scripting (XSS), SQL injection, and more.

  • Gemnasium : imports scan results from GitLab Gemnasium Scanner, which is a tool that identifies vulnerabilities and security issues within project dependencies.

  • Gosec: imports scan results from Gosec Scanner, which is a tool for finding security issues in Go code. It helps identify potential security vulnerabilities in Go code.

  • Hadolint: imports scan results from Hadolint Dockerfile Check Scanner, a Dockerfile linter that helps ensure Dockerfile syntax correctness, adherence to best practices, and identification of potential issues related to Docker image creation. It focuses on code quality and conformity to Dockerfile standards, aiding in the creation of secure and well-structured Docker images.

  • KICS: imports scan results from GitLab KICS Scanner (Keeping Infrastructure as Code Secure), wich is designed to detect security vulnerabilities and policy violations in infrastructure-as-code (IaC) files.

  • PHPCodeSniffer: mports scan results from PHPCodeSniffer, wich is tokenizes PHP files and detects violations of a defined set of coding standards.

  • Retire.js: imports scan results from Retire.js Scanner, a tool designed to analyze JavaScript code for deprecated and vulnerable libraries and dependencies. It focuses on identifying outdated or known vulnerable components within JavaScript code, contributing to the enhancement of web application security.

  • Semgrep: imports scan results from Semgrep scanner and GitLab Semgrep scanner, which is a tool for finding security issues in code. It provides static analysis of code in various languages and helps identify potential security vulnerabilities.

  • SpotBugs: imports scan results from SpotBugs scanner which analyses Java source code for potential security, efficiency, and programming style issues.

  • Terrascan: imports scan results from Terrascan Scanner, which is a tool for finding security issues in Terraform code. It helps identify potential security vulnerabilities in infrastructure as code.

Secret Scanners:

  • Gitleaks: imports scan results from Gitleaks Scanner and GitLab Gitleaks Scanner, which is a tool for finding secrets and sensitive information in Git repositories. It helps identify hard-coded secrets in Git repositories that are accidentally committed by developers.

  • Trufflehog3: imports scan results from Trufflehog3 Scanner, which is a tool for finding secrets and sensitive information in code repositories. Trufflehog3Importer converts the scan results into a format that can be easily understood by AppSec Portal.

Image and code dependency scanners:

Web Scanners:

  • Arachni: imports scan results from Arachni Scanner, which is a tool for scanning modern web applications for a variety of vulnerabilities including SQL injection, cross-site scripting, file inclusion, and more.

  • Acunetix : imports scan results from Acunetix, a scanner designed to detect vulnerabilities in web applications.

  • Burpsuit: imports scan results from BurpSuit Enterprise scanner, which is a tool for automated web application security testing and vulnerability scanning.

  • OWASP Zap: is responsible for importing scan results from GitLab OWASP Zap Scanner, wich is a security testing tool focused on web application vulnerabilities, including SQL injection, cross-site scripting (XSS), and more.

Mobile Scanners:

  • Mobsfscan: is a security testing tool focused on mobile application vulnerabilities. This scanner is based on Semgrep with custom rules from MobSF group

Infrastructure scanners:

  • AWSSecurity: imports scan results from AWS Security Hub Scan, which is a powerful tool designed to analyze and identify potential security vulnerabilities in AWS environments. With this importer, you can seamlessly integrate AWS Security Hub scan results into the AppSec Portal, allowing for centralized management and comprehensive visibility of your security posture within the AWS ecosystem.

  • Nessus: is a leading vulnerability scanning tool developed by Tenable. It is used to identify and assess potential vulnerabilities in systems and networks, helping organisations strengthen their cyber security.

  • Nuclei: imports scan results from Nuclei Scanner, which is a tool for finding security issues in web applications.

  • Prowler: is responsible for importing scan results from the Prowler Scanner. Prowler is a security scanning tool specifically designed to assess the security of Amazon Web Services (AWS) environments.

  • Subfinder: imports scan results from Subfinder Scanner. Subfinder is a subdomain discovery tool used to identify subdomains associated with a target domain or web application. It assists in gathering critical information during enumeration phases of security assessments and penetration testing.

Other scanners:

  • Dependency-Track: imports result from Dependency-track platform. Component support for:

    Applications, Libraries, Frameworks, Operating systems, Containers, Firmware, Files, Hardware, Services

  • Snyk: imports result from Snyk tool. Snyk is a platform that allows you to scan, prioritize, and fix security vulnerabilities in your code, open-source dependencies, container images, and infrastructure as code configurations.

  • Whitespots Portal : imports results with Whitespots Portal parser. Processes the data that the user has specified in the scanner report.

Last updated