Scanner Registry Modules¶
BoostSecurity supports several scanner modules that are available through the BoostSecurity module registry. Any of the scanner modules can be easily configured as part of your Continuous Integration (CI) to scan your code or artifacts resources for vulnerabilities. The scanners are available for different security categories, such as:
- Source Code Scanning (SAST)
- Software Composition Analysis (SCA)
- Container Scanning
- Software Bill of Materials (SBOM)
The list of supported scanners is growing continuously, so check the What's New section for new scanners being released.
In the tables below, the column Pull Request Flow indicates whether the scanner module can be configured to scan in pull request flow. Scanner modules that don't support the pull request flow are meant to be configured to scan on the main branch's flow.
- Some scanners require environment variables that need to be configured in order, for example, to scan generated artifacts. For example, for container image scanning.
- The scanner requires the image name to scan to be set in an environment variable.
- The tables below include a column for configuration, indicating whether environment variables are required to be set.
Source Code Scanners (SAST)¶
| Scanner | registry_module name | Pull Request Flow | Configuration | Description |
|---|---|---|---|---|
| Boost Native Scanner | boostsecurityio/native-scanner | yes | - | The BoostSecurity provided scanner, which leverages several open source and homegrown security checks with curated rules. Supports scanning for multiple languages |
| Brakeman | boostsecurityio/brakeman | yes | - | The Brakeman module scans Ruby source code for vulnerabilities, leveraging the latest version of brakeman from presidentbeef/brakeman |
| Checkov | boostsecurityio/checkov | yes | - | The Checkov module scans source code for vulnerabilities, leveraging the checkov scanner from bridgecrew/checkov |
| Semgrep | boostsecurityio/semgrep | yes | - | The Semgrep module scans source code for vulnerabilities, supporting various programming languages. The module leverages semgrep version 0.112 from returntocorp/semgrep |
| GoSec | boostsecurityio/gosec | yes | - | The GoSec module scans source code for vulnerabilities, for GoLang programming language. The module leverages gosec from securego/gosec |
| CodeQL | boostsecurityio/codeql | yes | CODEQL_LANGUAGE | The CodeQL module scans source code for vulnerabilities, supporting various programming languages. The module leverages CodeQL from Github. The environment variable CODEQL_LANGUAGE needs to be set to the programming language being scanned. |
Software Composition Analysis (SCA)¶
| Scanner | registry_module name | Pull Request Flow | Configuration | Description |
|---|---|---|---|---|
| Snyk | boostsecurityio/snyk-test | yes | - | The Snyk module scans the project package dependencies for vulnerabilities, using the snyk Command Line Interface (CLI) tool with command test for SCA. |
| Bundler Audit | boostsecurityio/bundler-audit | yes | GEMFILE_LOCK | The bundler audit module scans the Ruby project's dependencies for vulnerabilities, using the bundler-audit scanner. The optional environment variable GEMFILE_LOCK can be set to check a custom Gemfile.lock file |
| NPM Audit | boostsecurityio/npm-audit | yes | NPM_AUDIT_ARGS | The npm audit module scans the Nodejs project's dependencies for vulnerabilities, using the npm audit scanner. The optional environment variable NPM_AUDIT_ARGS can be set for npm audit options. |
| Safety | boostsecurityio/safety | yes | - | The Safety module scans the python project's dependencies for vulnerabilities, using the safety scanner. |
| Nancy | boostsecurityio/nancy | yes | NANCY_ARGS, GOPKG_LOCK, GO_LIST_PATH | The Nancy module scans the GoLang project's dependencies for vulnerabilities, using the Nancy scanner. The optional environment variables can be set: NANCY_ARGS enables to set the Nancy scanner arguments; GOPKG_LOCK can set the GoLang package lock file with a default value of Gopkg.lock; GO_LIST_PATH the path where the list of modules is located, the default value is .nancy-go-list.json |
Container Image Scanning¶
| Scanner | registry_module name | Pull Request Flow | Configuration | Description |
|---|---|---|---|---|
| Trivy Image | boostsecurityio/trivy-image | no | BOOST_IMAGE_NAME | The Trivy module scans container images for vulnerabilities, using the trivy tool with command image. Note that the Trivy module uses environment variable BOOST_IMAGE_NAME to know which image to scan. The continuous integration (CI) workflow calling the Trivy module needs to do so after the container image was built and by setting the environment with the image name to scan. |
Example¶
Assuming that you're using GitHub Actions, add the following stanza to the action where you would like to scan an image:
- name: trivy-image
uses: boostsecurityio/boostsec-scanner-github@v4
with:
registry_module: boostsecurityio/trivy-image
api_token: ${{ secrets.BOOST_API_TOKEN }}
env:
BOOST_IMAGE_NAME: xxxxxxxx
Software Bill of Materials¶
| Scanner | registry_module name | Pull Request Flow | Configuration | Description |
|---|---|---|---|---|
| Trivy SBOM | boostsecurityio/trivy-sbom | no | - | The Trivy module for SBOM collects the components inventory from source code using the trivy CLI tool. |
| Trivy SBOM for container images | boostsecurityio/trivy-sbom-image | no | BOOST_IMAGE_NAME | The Trivy module for SBOM collects the components inventory from container images using the trivy tool. The environment variable BOOST_IMAGE_NAME must be set with the container image name to scan. The continuous integration (CI) workflow calling the Trivy module needs to do so after the container image is built and by setting the environment with the image name to scan. |