Supported scanning tools
The following table lists the various scanning tools that are integrated into DevSecOps pipelines to provide continuous security checks and monitoring. These scans run at various stages of the Continuous Integration (CI), Continuous Development (CD), and Continuous Deployment (CC) pipelines.
| Tool | Scan | Description | Scan type |
|---|---|---|---|
| IBM Cloud Code Risk Analyzer | Code Risk Analyzer (CRA) analyzes your code for vulnerabilities and compliance with certain rules. | compliance checks stage of CI/CC pipelines |
Dependency scan |
| Gosec | Gosec scan can be used to inspect Golang source code in your scanned repositories. | static scan stage of CI/CC pipelines | Static scan | | Sonarqube | SonarQube provides an overview of the overall health and quality of your source code and highlights issues that are found in new code. | static scan stage of CI/CC pipelines | Static scan | | Owasp Zap | Zed Attack Proxy (ZAP) is a free and open source penetration testing (PEN) tool that is maintained under the umbrella of OWASP. | owasp zapsub pipeline in CI pipeline and dynamic scan stage of CI/CC pipelines | Dynamic
Scan | | Sysdig | Sysdig scan uses the Sysdig inline scanner to identify vulnerabilities (CVEs) within Docker images. | scan artifact stage of CI/CC pipelines
| Container Image scan |