Supported scanning tools
The following table lists the various scanning tools that are integrated into DevSecOps pipelines to provide continuous security checks and monitoring. These scans run at various stages of the Continuous Integration (CI), Continuous Development (CD), and Continuous Deployment (CC) pipelines.
Scan | Description | Stage | Type of scan |
---|---|---|---|
IBM Cloud Code Risk Analyzer | Code Risk Analyzer (CRA) analyzes your code for vulnerabilities and compliance with certain rules. | compliance checks stage of CI/CC pipelines |
Static scan |
Detect Secrets | Detect-secrets is a client-side security tool that detects secrets within a codebase to remediate and prevent secret leaks. | detect secrets stage of CI/CC pipelines |
Static Scan |
Gosec | Gosec scan can be used to inspect Golang source code in your scanned repositories. | static scan stage of CI/CC pipelines |
Static scan |
Mend | The Mend script runs the Mend Unified Agent dependency scan in your DevSecOps pipeline. | compliance checks stage of CI/CC pipelines |
Static scan |
Owasp Zap | Zed Attack Proxy (ZAP) is a free and open source penetration testing (PEN) tool that is maintained under the umbrella of OWASP. | owasp zap sub pipeline in CI pipeline and dynamic scan stage of CI/CC pipelines |
Dynamic Scan |
Sonarqube | SonarQube provides an overview of the overall health and quality of your source code and highlights issues that are found in new code. | static scan stage of CI/CC pipelines |
Static scan |
Sysdig | Sysdig scan uses the Sysdig inline scanner to identify vulnerabilities (CVEs) within Docker images. | scan artifact stage of CI/CC pipelines |
Container Image scan |
IBM Cloud Vulnerability Advisor | The DevSecOps pipeline uses the Vulnerability Advisor (VA) to identify vulnerabilities (CVEs) within Docker images. | scan artifact stage of CI/CC pipelines |
Container Image scan |
To scan container images and report on the vulnerabilities that are present in those images, multiple tools are listed as specified in the table above. These scans run as part of the scan-artifact stage of CI and CC pipelines. These scan runs for each container image you have saved to the pipeline by using the save_artifact method. For more information, see save_artifact.
Please have a look at the individual scan pages for further details.