SecObserve gathers results about potential security flaws from various vulnerability scanning tools and makes them available for assessment and reporting.
It consists of 2 major components:
-
GitHub actions and GitLab CI templates: Integrating vulnerability scanners into a CI/CD pipeline can be tedious. Each tool has to be installed differently and is called with different parameters. To avoid having to solve this task all over again, there are repositories with GitHub actions and GitLab CI templates. These make the process of integrating vulnerability scanners very simple by providing uniform methods for launching the tools and uniform parameters. The tools are regularly updated in the repositories so that the latest features and bug fixes are always available.
All actions and templates run the scanner, upload the results into SecObserve and make the results of the scans available for download as artefacts in JSON format.
These GitHub actions and GitLab CI templates are the content of this repository.
-
Vulnerability management system SecObserve: SecObserve provides the development team with an overview of the results of all vulnerability scans for their project, which can be easily filtered and sorted. In the detailed view, the results are displayed uniformly with a wealth of information, regardless of which vulnerability scanner generated them.
The sources of the vulnerability management system can be found in https://github.com/MaibornWolff/SecObserve.
| Scanner | GitHub Action | GitLab CI Template | License |
|---|---|---|---|
| Bandit | actions/SAST/bandit |
templates/SAST/bandit.yml |
Apache 2.0 |
| ESLint | actions/SAST/eslint |
templates/SAST/eslint.yml |
MIT |
| Semgrep | actions/SAST/semgrep |
templates/SAST/semgrep.yml |
LGPL 2.1 |
| Checkov | actions/SAST/checkov |
templates/SAST/checkov.yml |
Apache 2.0 |
| KICS | actions/SAST/kics |
templates/SAST/kics.yml |
Apache 2.0 |
| tfsec | actions/SAST/tfsec |
templates/SAST/tfsec.yml |
MIT |
| Grype | actions/SCA/grype_image |
templates/SCA/grype_image.yml |
Apache 2.0 |
| Trivy | actions/SCA/trivy_filesystem |
templates/SCA/trivy_filesystem.yml |
Apache 2.0 |
| Trivy | actions/SCA/trivy_image |
templates/SCA/trivy_image.yml |
Apache 2.0 |
| Gitleaks | actions/secrets/gitleaks |
templates/secrets/gitleaks.yml |
MIT |
| CryptoLyzer | actions/DAST/cryptolyzer |
templates/DAST/cryptolyzer.yml |
MPL 2.0 |
| DrHeader | actions/DAST/drheader |
templates/DAST/drheader.yml |
MIT |
| ZAP | actions/DAST/zap |
templates/DAST/zap.yml |
Apache 2.0 |
All GitHub actions and GitLab CI templates use a pre-built Docker image that contains all scanners and the SecObserve importer.
See GitHub actions and GitLab CI templates for the full documentation how to use the actions and templates.
Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.
SecObserve is licensed under the 3-Clause BSD License