Integrating Vulnerbility Scan Results of 3rd party Tools
You can ingest scan results from the following tools into Scribe Hub.
SCA
 | AuditJS | Identifies security vulnerabilities in JavaScript libraries and dependencies. |
 | Synopsys Blackduck Binary Analysis | Analyzes open source components for security risks and license compliance. |
 | Bundler-Audit | Scans Ruby Gem dependencies for known vulnerabilities. |
 | Checkmarx OSA | Identifies vulnerabilities and license risks in open source libraries and third-party components. |
 | CycloneDX | A standard for creating SBOMs to manage security risks in open source dependencies. |
 | Dependency Check | Detects publicly disclosed vulnerabilities in project dependencies. |
 | Dependency Track | Monitors and manages the use of components with known vulnerabilities. |
 | Fortify | Analyzes open source components for security vulnerabilities and compliance risks. |
 | GitLab Dependency Scan | Scans project dependencies for known vulnerabilities. |
 | Govulncheck | Identifies known vulnerabilities in Go projects. |
 | JFrog Xray | Scans artifacts for vulnerabilities and license compliance issues. |
 | Kiuwan | Analyzes code for security vulnerabilities and compliance risks. |
 | Mend.io | Provides real-time alerts and remediation for vulnerabilities in open source components. |
| NPM Audit | Scans project dependencies for known vulnerabilities in npm packages. |
 | OssIndex | Provides security reports for open source projects and components. |
 | PHP Symfony Security Check | Checks for vulnerabilities in Symfony project dependencies. |
 | pip-audit | Audits Python environments and dependencies for known vulnerabilities. |
| Retire.js | Scans JavaScript projects for known security vulnerabilities. |
| Sonatype Application Scan | Analyzes application components for security and compliance issues. |
 | Veracode SourceClear | Scans open source libraries and dependencies for security vulnerabilities. |
 | Yarn Audit | Checks project dependencies for known security issues in Yarn packages. |
SAST
 | Bandit | Analyzes Python code for security issues. |
 | Brakeman | Static analysis tool for Ruby on Rails applications. |
| Checkmarx | Identifies security vulnerabilities in proprietary code. |
 | Codechecker | Static analysis infrastructure to detect bugs in C/C++/Objective-C code. |
 | Contrast | Integrates with applications to detect vulnerabilities during runtime. |
 | Microsoft Cred Scan | Scans for credentials in code. |
| Dawnner | Static analysis security scanner for Ruby applications. |
| Detect-secrets | Tool to prevent secrets from being committed into code repositories. |
 | ESLint | Finds and fixes problems in JavaScript code. |
 | Ggshield | Detects secrets and sensitive information in your codebase. |
| Github Vulnerability Scan | Analyzes code for security vulnerabilities within GitHub repositories. |
| GitLab SAST | Provides static application security testing for GitLab projects. |
| GitLab Secret Detection | Detects secrets in your GitLab projects. |
| Gitleaks | Scans for secrets in git repositories. |
 | Gosec Scanner | Inspects Go source code for security issues. |
 | Horusec | Open source tool for performing static code analysis on various languages. |
| Hydra | OAuth2 and OpenID Connect server for application security. |
 | Meterian | Analyzes and fixes security vulnerabilities in open source dependencies. |
 | Mozilla Observatory | Helps developers configure their sites securely. |
| Node Security | Scans for vulnerabilities in Node.js packages. |
 | Openscap Vulnerability | Assesses the security compliance of IT systems. |
| PHP Security Audit v2 | Scans PHP code for security vulnerabilities. |
 | PMD | Identifies flaws in Java source code. |
 | PWN | Python-based tool for security testing. |
 | Rubocop | Linter and formatter for Ruby code. |
 | Rusty Hog | Scans for secrets in your codebase. |
 | Semgrep | Static analysis tool for finding bugs and enforcing code standards. |
 | Snyk | Finds and fixes vulnerabilities in your open source dependencies and container images. |
 | SonarQube | Continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities. |
 | SpotBugs | Static analysis tool for Java to find bugs in Java programs. |
 | Talisman | Detects and prevents secrets from getting checked into source code repositories. |
 | Trufflehog | Searches through git repositories for high entropy strings and secrets. |
| VCG | Vulnerability Code Graphs (VCG) tool to analyze source code for vulnerabilities. |
| Wapiti | Performs "black-box" scans of web applications to discover vulnerabilities. |
 | Whispers | Detects secrets and sensitive information in your codebase. |
 | Xanitizer | Static analysis tool to detect security vulnerabilities in Java code. |
DAST
 | Acunetix | Automated web application security testing tool that audits your web applications by checking for vulnerabilities like SQL Injection, XSS, and more. |
 | AppSpider (Rapid7) | Dynamic Application Security Testing (DAST) solution that scans web applications for vulnerabilities. |
 | Burp | Integrated platform for performing security testing of web applications. |
 | Cobalt.io | Offers pentest as a service platform to find and fix vulnerabilities in web applications. |
 | Crashtest Security | Provides automated security testing for web applications. |
 | Edge | Full-stack vulnerability management solution combining automated scanning with manual verification. |
| GitLab DAST | Dynamic application security testing tool built into GitLab. |
| IBM AppScan | Provides automated dynamic application security testing. |
 | Immuniweb | AI-powered web application security testing platform. |
 | Microfocus Webinspect | Automated dynamic application security testing solution. |
 | MobSF | Mobile Security Framework for dynamic and static analysis of mobile apps. |
 | Netsparker | Web application security scanner that identifies vulnerabilities. |
 | Nikto | Web server scanner that performs comprehensive tests against web servers. |
 | Nuclei | Fast and customizable vulnerability scanner based on simple YAML-based templates. |
 | Qualys | Cloud-based platform for continuous security and compliance. |
| Scantist | Application security platform for identifying vulnerabilities. |
 | Solar Appscreener | Comprehensive source code analysis tool. |
 | StackHawk | Dynamic application security testing built for developers. |
 | Tenable | Comprehensive vulnerability management solution. |
 | Trustwave | Offers managed security testing services. |
| Veracode | Comprehensive application security testing platform. |
 | WFuzz | Tool for web application security assessment by brute forcing web applications. |
| WhiteHat Sentinel | Dynamic application security testing solution. |
 | Wpscan | Security scanner for WordPress. |
 | ZAP | Open-source web application security scanner. |
Infrastructure
 | Anchore Enterprise | A comprehensive container security platform for deep image inspection and vulnerability scanning. |
| Anchore Grype | An open-source vulnerability scanner for container images and filesystems. |
 | Aqua Scan | Security platform for securing cloud-native applications, containers, and serverless functions. |
 | Arachni | Open-source web application security scanner framework designed to identify security issues. |
Other
 | AWS Prowler | Open-source security tool to perform AWS security best practices assessments. |
 | AWS Scout2 | Tool that audits the configuration of AWS environments to find security gaps. |
 | AWS Security Hub | Provides a comprehensive view of high-priority security alerts and compliance status across AWS accounts. |
| Azure Security Center Recommendations | Provides recommendations to secure Azure resources and services. |
| Synopsys Blackduck | Analyzes open-source components for security risks and license compliance. |
| Burp | Integrated platform for performing security testing of web applications. |
 | CargoAudit | Audit Cargo.lock files for vulnerabilities. |
 | Checkov | Static code analysis tool for infrastructure as code. |
 | Clair | Static analysis tool for discovering vulnerabilities in application containers (e.g., docker). |
| Clair Klar | Wrapper to analyze images stored in a private Docker registry. |
| Cloudsploit | Tool for security and configuration scanning of cloud accounts. |
| docker-bench-security | Script that checks for dozens of common best practices around deploying Docker containers in production. |
 | Dockle | Container image linter for security, helping to ensure best practices and reduce vulnerabilities. |
| GitLab Container Scan | Scans container images for vulnerabilities in GitLab projects. |
| Hadolint Dockerfile check | Dockerfile linter to detect issues and ensure best practices. |
 | Harbor Vulnerability | Open-source container image registry that secures images with role-based access control and integrates with vulnerability scanners. |
 | KICS | Open-source tool for static analysis of IaC files to detect potential security vulnerabilities, compliance issues, and coding best practices. |
 | kube-bench | Checks whether Kubernetes is deployed securely according to the CIS Kubernetes Benchmark. |
| kube-hunter | Open-source tool to hunt for security weaknesses in Kubernetes clusters. |
 | NeuVector (compliance) | Provides container security with run-time protection, network visibility, and vulnerability management. |
| Nexpose | Vulnerability management solution that dynamically collects data and analyzes risk. |
 | Nmap | Open-source network scanner for network discovery and security auditing. |
| OpenVAS | Full-featured vulnerability scanner that can detect security issues in systems and applications. |
 | Popeye | Utility that scans live Kubernetes clusters and reports potential issues. |
| Qualys Infrastructure Scan | Cloud-based platform for continuous security and compliance of IT infrastructure. |
 | Red Hat Satellite | System management tool designed to help manage Red Hat deployments and scale IT automation, optimizing system performance. |
| Scout Suite | Open-source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. |
| ssh-audit Vulnerability Reports | SSH server auditing tool that checks for various security issues in SSH servers. |
| SSL Labs | Performs a deep analysis of the configuration of any SSL web server on the public Internet. |
| Sslscan | Quickly scans SSL servers to determine the supported SSL ciphers and protocols. |
| Sslyze | Fast and powerful SSL/TLS scanning library and CLI tool. |
 | Sysdig Vulnerability Reports | Provides container intelligence for securing and monitoring your infrastructure. |
 | Testssl | Command line tool to check SSL/TLS and security related information on any port. |
 | TFSec | Security scanner for your Terraform code, which checks for potential security vulnerabilities. |
| Trivy | Simple and comprehensive vulnerability scanner for containers and other artifacts. |
 | Twistlock Image | Cloud-native security platform that protects the full stack and lifecycle of your cloud-native workloads. |
 | Wazuh | Open-source security monitoring platform that unifies log data analysis, intrusion detection, and security monitoring. |
| AWS Security Finding Format (ASFF) | Standardized format for AWS security findings, providing a unified way to describe security issues. |
 | BugCrowd | Platform that connects organizations to a global crowd of security researchers to uncover security issues. |
 | DrHeader | Tool for checking security headers in HTTP responses. |
| Generic Findings | General category for various security findings and reports. |
 | HuskyCI | Continuous Integration tool for performing security tests inside CI pipelines. |
 | SARIF | Static Analysis Results Interchange Format, used for the output format of static analysis tools. |
 | Vulners | Provides vulnerability data and information for security researchers and professionals. |
Quickstart: Uploading Evidence
Use our CLI tool to upload your report for analysis and cataloging.
Install CLI
Get the valint tool
curl -sSfL https://raw.githubusercontent.com/scribe-security/misc/master/gh_install.sh | sh -s -- -t valint
Upload the report as evidence:
valint evidence [path] --parser <parser name> [-o attest]
- Use
-o attestif you want the report to be signed. - Use
--parserto select one of the supported parsers.
For more detailed options, see the valint documentation.