Discover our Security Pipeline repository on GitLab. This repository includes a comprehensive set of scanners to address various security aspects.

You can add and manage different groups of scan:

• Secret scanners such as Gitleaks and Trufflehog3 (a fork from Trufflehog specifically for DefectDojo) are used to detect sensitive data that may have been inadvertently committed to version control or shared in other ways.

• Code scanners like Bandit (Python), Brakeman (Ruby on Rails), Eslint, Retirejs (JavaScript) Gosec (Go), Semgrep, Sonarqube, Spotbugs (Java), Hadolint (Dockerfiles), Terrascan (Infrastructure as Code), Gixy (NGINX), Checkov (IaC formats), Snyk (open source) are used to detect code issues, vulnerabilities, and other security-related issues in the application codebase.

• Code dependency scanners such as Trivy are used to detect security vulnerabilities in code dependencies used by the application.

• Image dependency scanners such as Trivy and Grype are used to detect vulnerabilities in Docker images built from public scanners.

• Dynamic scanners like Arachni and OWASP ZAP are used to test the application for vulnerabilities while it is running.

• Infrastructure scanners like Subfinder and Nuclei are used to scan the infrastructure components like domains and servers for vulnerabilities and security issues.

All these checks are run in transparent mode and don't affect your build/deploy time.