Skip to content

Scanner Registry Modules

BoostSecurity supports several scanner modules that are available through the BoostSecurity module registry. Any of the scanner modules can be easily configured as part of your CI to scan you code or artifacts resources for vulnerabilities. The scanners are available for different security categories such as: - Source Code Scanning (SAST) - Software Composition Analysis (SCA) - Container Scanning - Software Bill of Materials (SBOM)

The list of supported scanners is growing continuously so check the What's New section for new scanners being released.

In the tables below the column PR Flow indicates whether the scanner module can be configured to scan in PR flow. Scanner modules that don't support the PR flow are meant to be configured to scan on the main branch's flow. Some scanners require environment variables that need to be configured in order for example to scan generated artefact. For example, for container image scanning, the scanner requires the image name to scan to be set in an environment variable. The tables below include a column for configuration, indicating whether environment variables required to be set.

Source Code Scanners (SAST)

Scanner registry_module name PR Flow Configuration Description
Boost Native Scanner boostsecurityio/native-scanner yes - The Boost provided scanner, which leverages a number of open source and home grown security checks, with curated rules. Supports scanning for multiple languages
Brakeman boostsecurityio/brakeman yes - The Brakeman module scans Ruby source code for vulnerabilities, leveraging the latest version of brakeman from presidentbeef/brakeman
Semgrep boostsecurityio/semgrep yes - The Semgrep module scans source code for vulnerabilities, supporting various programming languages. The module leverages semgrep version 0.112 from returntocorp/semgrep

Software Composition Analysis (SCA)

Scanner registry_module name PR Flow Configuration Description
Snyk boostsecurityio/snyk-test yes - The Snyk module scans the project package dependencies for vulnerabilities, using the snyk cli tool with command test for SCA.
Bundler Audit boostsecurityio/bundler-audit yes GEMFILE_LOCK The bundler audit module scans the Ruby project's dependencies for vulnerabilities, using the bundler-audit scanner. The optional environment variable GEMFILE_LOCK can be set to check a custom Gemfile.lock file
NPM Audit boostsecurityio/npm-audit yes NPM_AUDIT_ARGS The npm audit module scans the Nodejs project's dependencies for vulnerabilities, using the npm audit scanner. The optional environment variable NPM_AUDIT_ARGS can be set for npm audit options.

Container Image Scanning

Scanner registry_module name PR Flow Configuration Description
Trivy Image boostsecurityio/trivy-image no BOOST_IMAGE_NAME The Trivy module scans container images for vulnerabilities, using the trivy tool with command image. Note that the Trivy module uses environment variable BOOST_IMAGE_NAME to know which image to scan. The CI workflow calling the Trivy module needs to do so after the container image was built and by setting the environment with the image name to scan.

Software Bill of Materials

Scanner registry_module name PR Flow Configuration Description
Trivy SBOM boostsecurityio/trivy-sbom no - The Trivy module for SBOM collects the components inventory from source code, using the trivy cli tool.
Trivy SBOM for container images boostsecurityio/trivy-sbom-image no BOOST_IMAGE_NAME The Trivy module for SBOM collects the components inventory from container images, using the trivy tool. The environment variable BOOST_IMAGE_NAME needs to be set with the container image name to scan. The CI workflow calling the Trivy module needs to do so after the container image was built and by setting the environment with the image name to scan.