Xygeni Scanners

The Dependency Scanner (deps) ( see Open Source Security (OSS) ) is a useful tool to collect and analyze the dependencies of a software project, aimed at identifying issues related to software supply-chain security. Dependencies are components or packages used in software that will be analyzed for known vulnerabilities or evidences of malware.

The Suspect Dependencies Scanner ( suspectdeps) ( see Open Source Security (OSS) ) finds suspect dependencies that may be the target of supply-chain attacks. The aim is to detect potential flaws in the dependencies, direct or indirect, in the software project and DevOps tools around, so supply-chain attacks can be prevented. The dependency graph (in fact, the result of the Dependencies Scanner) is analyzed to look for known issues with dependencies. Typo-squatting, dependency confusion or dependencies with suspicious installation scripts are examples of suspect dependencies.

The Misconfigurations Scanner ( misconf ) ( see Software Supply-Chain Security (SSCS) ) is a tool that checks the configuration of the software project under analysis, and reports any misconfiguration currently active for the policy assigned to the project. A misconfiguration in any element of the software pipeline, like a package manager, a build file, or a CI job, might open the door to attacks targeted at the organization’s DevOps chain.

The Secrets Scanner ( secrets ) ( see Secrets Security ) detects hardcoded secrets. It performs thorough scans of code, text files and docker images to identify exposed secrets (API keys, passwords, and other sensitive credentials).

The Infrastructure-As-Code Scanner ( iac ) ( see IaC Security ) processes IaC templates (Terraform, Ansible, CloudFormation, etc) searching for "flaws" or "defects" (a non-compliance) for a certain policy. Most flaws represent a security-related issue that adds significant risk.

The Compliance Assessment Scanner ( compliance) ( see Software Supply-Chain Security (SSCS) ) checks compliance with Software Supply-Chain Security standards and guidelines. A standard is a list of checkpoints, arranged in categories. A software project is compliant with a standard ("passes") only when all the standard’s required checkpoints passed.

The Code Tampering Scanner ( codetamper ) ( see Anomaly Detection ) is a tool that checks the commits of the software project under analysis, and reports "changes in critical files" according to critical files rules currently active for the policy assigned to the project.

The Malware Scanner ( malware ) ( see Code Security (CS) ) is a tool that checks the files of the software project under analysis, and reports "evidences" according to malware detectors currently active for the policy assigned to the project.

The Inventory Scanner ( inventory ) ( see ASPM (Application Security Posture Management) ) is used to discover SDLC assets at scan time, extracting the information from the available project and dependencies descriptors, build files, pipelines describing the CI/CD workflows, IaC templates, and eventually via calls to the tools' APIs.