Product overview

The delivers highly scalable Static Application Security Testing (SAST), Software Composition Analysis (SCA), and Dynamic Application Security Testing (DAST) for your Enterprise.

What does

  • Testing: Upload and scan applications in the cloud using static analysis (SAST) and software composition analysis (SCA). Run dynamic tests (DAST) against your organization's web applications.
  • Issue Lifecycle Management: Review, triage, dismiss, and close issues discovered during security scans. Actions can be taken manually or programmatically.
  • Build a software bill of materials (SBOM): Generate the industry's most complete SBOM using two powerful analysis techniques (package manager and signature analysis tests). Evaluate the supply chain of each open source component and license used to create the application.
  • Analytics: Review the overall risk posture of a project, application, or organization.
  • Automation: Use SCM repository integrations, a command-line client, or REST APIs to integrate security testing into your DevOps pipeline. Test and monitor branches to ensure your applications stay secure.
  • Dashboards: Offers high-level snapshots of issues or issue details with filters to customize your view of test results.
  • Reporting: Create customized reports of your test results.
  • Policy management: Establish guidelines and use to automatically execute specific actions like scheduling tests, breaking builds, notifying users of test findings, and setting fix-by dates.
  • Expert triage assistance: For Static scans of a project's default branch, human assessors are available to review findings and reduce false positives, helping developers to focus on meaningful results.

What teams do with

  • Move security testing to the cloud.
  • Enable developers by building security testing into CI/CD pipelines.
  • Schedule regular scans of repos.
  • Set scan policies that can fail a build and prevent code from merging when pre-defined events are detected.
  • Use the web UI to triage issues found in the code and dismiss them or assign owners to them.
  • Use dashboards to monitor the security stance of applications and their constituent projects.

Components of

  • Web UI: Manage subscriptions, schedule testing, review, and triage issues, and monitor your security stance on dashboards.
  • command-line client: Use a simple scripting language to automate tests. Scan information is uploaded to the UI, and you can see all the information from your tests in the web UI.
  • Integrations: can:
    • Interact with SCM repositories, including GitHub, GitLab, Bitbucket, and Azure DevOps.
    • Create tickets in Jira for issues captured in tests.
    • Include links to Secure Code Warrior training resources with issues captured in tests.
  • API: Robust APIs make it possible to quickly retrieve and filter issue data after running tests.