Scanners¶
BoostSecurity offers a variety of robust scanners that can effectively detect and resolve potential security risks. Nonetheless, with numerous scanners to choose from, it can be difficult to decide which ones are most appropriate for your particular repository.
That's why BoostSecurity provides a range of tools tailored to different programming languages, enabling you to pinpoint potential vulnerabilities in your repository with ease which are:
| Scanner | Coverage Type | Scan Execution | Description | Supports | On Main | On PR |
|---|---|---|---|---|---|---|
| BoostSecurity Scanner | CI/CD, SAST | In Pipeline | A custom scanner that compliments purpose-built SAST tools by detecting specific weaknesses other tools miss. This is not intended to be your sole SAST solution. | ✅ | ✅ | |
| CI/CD Scanner for SCM | CI/CD | Server | Leveraging data from your Source Control Management system's API, this is a BoostSecurity proprietary set of rules looking for misconfigurations and potential risks in your CI/CD pipelines. | GitHub, Gitlab, BitBucket, Azure Dev Ops | ✅ | ❌ |
| Checkmarx | IaC, SAST | Server | A commercial SAST and IaC scanning tool which Boost supports ingesting data from. Requires an active account with Checkmarx and a configured integration connection to be enabled. | Supported languages and frameworks. | ✅ | ❌ |
| Checkov | IaC | In Pipeline | A static analysis tool for detecting vulnerabilities in your Infrastructure as Code files. | Ansible, CloudFormation, Kubernetes, Serverless, Terraform | ✅ | ✅ |
| BoostSecurity OSS License | License | Server | A Boost utility that enriches your generated SBOM with open source license information which can be leveraged when creating Policy to ensure no unacceptable licenses to your organization are introduced into your codebase. | Based off SBOM | ✅ | ❌ |
| BoostSecurity SCA | License, SCA | In Pipeline | An all-in-one Boost scanning tool that generates your SCA findings, and enriches those findings with EPSS scores, OpenSSF scores, License information, and detected malware. The only SCA tool you should ever need! | Ruby, Python, PHP, Node.js, .NET, Java, Go, Rust, C/C++, Elixir, Dart, Swift | ✅ | ✅ |
| Brakeman | SAST | In Pipeline | A static analysis code scanner specific to Ruby language code. | Ruby | ✅ | ✅ |
| CodeQL | SAST | In Pipeline | Static analysis and code quality scanning tool. This tool is restricted by a GitHub license, so ensure you have the rights to use the software before you do. | Go, Java, JavaScript, Python, Ruby, TypeScript | ✅ | ✅ |
| GoSec | SAST | In Pipeline | A static analysis code scanner specific to the Go language. | Go | ✅ | ✅ |
| Semgrep | SAST | In Pipeline | With support for over 30 languages and over 2000 community-driven rules, Semgrep is an incredibly comprehensive static analysis code scanning tool which can be configured for your needs. | Bash, C, C++, C#, Cairo, Clojure, Dart, Dockerfile, Generic, Go, Hack, HTML, Java, JavaScript, JSON, Jsonnet, Julia, Lisp, Lua, Kotlin, Ruby, Rust, JSX, Ocaml, PHP, Python, R, Scala, Scheme, Solidity, Swift, TypeScript, YAML, XML | ✅ | ✅ |
| Semgrep Pro | SAST | In Pipeline | Boost supports ingesting data from Semgrep Pro provided you have an active license for the software. This tool can be provisioned once you have configured Boost with your account token. | Bash, C, C++, C#, Cairo, Clojure, Dart, Dockerfile, Generic, Go, Hack, HTML, Java, JavaScript, JSON, Jsonnet, Julia, Lisp, Lua, Kotlin, Ruby, Rust, JSX, Ocaml, PHP, Python, R, Scala, Scheme, Solidity, Swift, TypeScript, YAML, XML | ✅ | ✅ |
| Snyk Provider | SAST, SCA | Server | Boost supports ingesting data from Snyk once you've established an integration with your instance. Enable Snyk Provider in the integration page of Boost to ingest data from Snyk. | Supported languages and frameworks. | ✅ | ❌ |
| SonarQube | SAST | Server | Boost supports ingesting data from SonarQube once you've established an integration with your instance. Enable SonarQube in the integration page of Boost to ingest data from SonarQube. | Supported languages and frameworks. | ✅ | ❌ |
| Trivy (FS SBOM) | SBOM | In Pipeline | A flexible tool for generating SBOMs from a wide variety of lockfiles across over a dozen languages. | Ruby, Python, PHP, Node.js, .NET, Java, Go, Rust, C/C++, Elixir, Dart, Swift | ✅ | ❌ |
| Black Duck | SCA | Server | Boost supports ingesting data from Black Duck once you've established an integration with your instance. Enable Black Duck in the integration page of Boost to ingest data from Black Duck. | Java, JavaScript, Python, Ruby, PHP, C, C++, C#, Go, Swift, TypeScript, Objective-C, Kotlin, Scala, Groovy, Perl, Rust, Dart, Elixir, Erlang | ✅ | ❌ |
| Bundler-Audit | SCA | In Pipeline | A Ruby specific SCA scanner which will detect vulnerabilities in your open source Ruby packages. | Ruby | ✅ | ✅ |
| Nancy | SCA | In Pipeline | A Go specific SCA scanner which will detect vulnerabilities in your open source Go packages. | Go | ✅ | ✅ |
| Npm-Audit | SCA | In Pipeline | A Node.js specific SCA scanner which will detect vulnerabilities in your open source Node.js packages. | Node.js | ✅ | ✅ |
| Osv-Scanner | SCA | In Pipeline | A flexible SCA scanning tool with support for a dozen different languages. | C/C++, Dart, Elixir, Go, Java, Javascript, PHP, Python, R, Ruby, Rust | ✅ | ✅ |
| BoostSecurity SBOM SCA | SCA | Server | An SCA scanning tool bundled by Boost which generates SCA findings from your current SBOM. This tool only works if you have an SBOM generation tool enabled, and is unnecessary if you've enabled BoostSecurity SCA. | Ruby, Python, PHP, Node.js, .NET, Java, Go, Rust, C/C++, Elixir, Dart, Swift | ✅ | ❌ |
| Snyk SCA | SCA | In Pipeline | A bundled version of the Snyk scanning technology. While this does not require a connection to your primary Snyk instance, this scanner does require you to provide an account token to Boost before it can be enabled. Unlike the Provider integration, this version of the Snyk scanner can be run on Pull Requests. | Supported languages and frameworks. | ✅ | ✅ |
| Trivy (Filesystem Scanning) | SCA | In Pipeline | An SCA scanning tool based on the Trivy open source scanning tool. | Ruby, Python, PHP, Node.js, .NET, Java, Go, Rust, C/C++, Elixir, Dart, Swift | ✅ | ✅ |
| Dependabot | SCA | Server | For users of GitHub, if you have Dependabot enabled on your account, Boost can ingest the data generated by Dependabot by enabling this scanner. If you enable this scanner and do not have access to Dependabot, the scan will fail. | Supported languages and frameworks. | ✅ | ❌ |
| BoostSecurity Supply Chain Inventory | Supply Chain Inventory | Server | A Boost utility that identifies Supply Chain Inventory components in your SCM and CI/CD pipelines (such as GitHub Actions or Circle CI Orbs) for the purposes of providing a catalogue of what all can touch your code. Think of this as an SBOM for your Supply Chain. | GitHub, GitHub Actions, CircleCI, BuildKite, Gitlab, Gitlab Pipelines | ✅ | ❌ |
| Gitleaks | Secrets | In Pipeline | GitLeaks is a trusted open source utility for identifying stored secrets in your source code. A highly tunable set of rules that will quickly identify any credentials accidentally left behind during a code check-in. | Any | ✅ | ✅ |
| Gitleaks Git Scan | Secrets | In Pipeline | Gitleaks Git Scan can augment the standard Gitleaks scanner by detecting any secrets that may be stored in your source control history. This tool only runs against your main branch, and should only be used if your intent is to wipe your Git history of any accidentally checked-in credentials. | Any | ✅ | ❌ |