There is not a great solution in the Open-Source community for performing license, vulnerability and secret detection in a single platform. You end up having to resort to a bunch of shell scripts or purchasing a commercial tool.
Scans private/public code repositories for license, vulnerability and secrets data. Track data overtime in the web console and is ideal for security teams.
The current design is ideal for a Security Assurance team that wishes to run out-of-band scans against their company repo's to track licenses, vulnerabilities and secrets at a code level.
- Not ideal to be placed in the CI/CD flow. There is not a API to start/stop commands but that is on the roadmap
- Not ideal if you need quick and fast results
Unfortunately I have not got around to "Dockerizing" this project..
1.) Install postgresql server
2.) Install docker
3.) Clone this repo
4.) Run pip3 install -r requirements.txt
5.) Run flask run --cert=adhoc -h 0.0.0.0 -p 443 (May have to install openssl for using Adhoc certs)
- Support for CI/CD
- Customization for the different scan types
- Dockerize everything
Scan7 utilizes the following Open-Source tools to perform the scanning functionality:
- Scancode (https://github.com/nexB/scancode-toolkit)
- Gitleaks (https://github.com/zricethezav/gitleaks)
- OWASP Dependency Check (https://jeremylong.github.io/DependencyCheck/)