Enable code scan

ArmourZero's AI-powered Code Scan combined multiple security code scanners to seamlessly detect and analyse source code or compiled versions of code to help find security flaws within your software development lifecycle (SDLC) and in your DevOps (Development Operations) methodology and practice.

These scanners are categorised as:

1. Static Application Security Testing (SAST) - to looks at the source code to check for coding and design flaws that could allow for malicious code injection.

2. Infrastructure as Code (IaC) - to find code vulnerability which automates the provisioning of infrastructure, enabling your organisation to develop, deploy, and scale cloud applications with greater speed, less risk, and reduced cost.

3. Software Composition Analysis (SCA) - to find open-source libraries and components that are being used by your code by analyzing information from multiple sources such as file hashes, binaries and more.

4. Secret Scanning - to find any sensitive information such as private keys, API secrets and tokens, etc. It does so by looking at file names, extensions, and content, attempting to match them against a list of signatures.

ArmourZero's AI-powered Code Scan seamlessly integrate (link) code security analysis into your cloud software development platforms, without the need to copy or retrieve any of your confidential source codes. Everything done within your CI/CD pipeline tools.

Supported CI/CD pipeline tools:

1. Github

2. Gitlab

3. Bitbucket

4. CircleCI

5. Azure Pipeline

6. Jenkins

7. Gitea

The scanned results of all possible vulnerabilities detected will then be compared with industry Common Weakness Enumeration (CWE) and Common Vulnerability and Exposures (CVE) to determine the vulnerabilities' severity levels. Each of these possible vulnerability detected will then be mapped into OWASP Top 10 List (2021) and OWASP Mobile Top 10 (2024) compliance which is the latest standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to applications. 

There are 5 categories of CWE and CVE vulnerabilities' severity levels.

1. Critical
2. High
3. Medium
4. Low
5. Information

Integrates your CI/CD pipeline tools to start with ArmourZero's AI-powered Code Scan immediately, find all possible vulnerabilities faster than attackers.

ArmourZero's AI-powered Code Scan seamlessly integrates code security analysis into your cloud software development platforms, without the need to copy or retrieve any of your confidential source codes. Everything done within your CI/CD pipeline tools.

Supported CI/CD pipeline tools:

1. Github

2. Gitlab

3. Bitbucket

4. CircleCI

5. Azure Pipeline

6. Jenkins

7. Gitea

Step 1: Create repository and branch

You can create the number of repository according to your subscription plan.

1. Go to left menu and select "Code" under VULNERABILITY SCANNERS section, then click "Add New Repository".

2. Select what type application source code you would like to scan. If you are using GitHub or GitLab, you can have single sign-on (SSO) to retrieve your repositories and branches. ArmourZero supported both web and mobile application source code scan or review.

Click here if you are using GitHub or GitLab.

3. Click on the Project ID or the three dots action icon on the project, select "View Scan Details". You will be asked to create a branch by clicking "Add New Branch".

Notes:

It is very important to name your branch that match and identical with your working project branch name in your repository.

Step 2: Obtain unique API integration key

1. Go to left menu and select "Code" under VULNERABILITY SCANNERS section, then click "Configuration".

2. You will see an unique API Key that have generated for you. Copy that API Key for next step.

Step 3: Integrating to your CI/CD pipeline tools

Integration to your CI/CD pipeline tools just a one-time setup task, irregardless to the type of application you selected in Step 1! Yes it's that's easy. Depending on which CI/CD pipeline tools that you currently using, each platform comes with different but simple configurations.

You can refer to below links for the CI/CD pipeline tools' configuration.

1. Github integration

2. Gitlab integration

3. Bitbucket integration

4. CircleCI integration

5. Azure Pipeline integration

6. Jenkins integration

7. Gitea Pipeline integration

Congratulation! You have completed the seamless integration of security into your CI/CD pipeline tools. The Code Scan will be done automatically and at each time you and your team committed a code in the project and branch! Experience the automated vulnerability management evolution and view the scan results at your convenience.

Once the repository was successfully integrated, you can decide whether to have the scans automatically run whenever you committed your code or you would want to scan based on your needs. Depending on your subscribed plan, you can trigger multiple scans on multiple repositories at the same time. However the time to complete the scan depending on the size of source code.

You must first create repository and integrate to your CI/CD pipeline tools before scan is activated.

Enable auto scan

1. Go to left menu and select "Code" under VULNERABILITY SCANNERS section, then click "Add New Repository". Click on the Project ID or the three dots action icon on the project, select "View Scan Details". 

2. You may turn the on-off "Autorun Scan" option.

You can easily view Code Scan scanned results on all projects after scan triggered. All scan results will be listed in Latest Overall Scan Reports.

Step 1: Select the project

1. Go to left menu and select "Code" under VULNERABILITY SCANNERS section. Click on the Project ID or the three dots action icon   on the project, select "View Scan Details". 

Step 2: View details of vulnerabilities detected 

All scanned results of all possible vulnerabilities detected will be automatically compared with industry Common Weakness Enumeration (CWE) and Common Vulnerability and Exposures (CVE) to determine the vulnerabilities' severity levels.

Each of these possible vulnerability detected will be automatically mapped into OWASP Top 10 List (2021) compliance which is the latest standard awareness document for developers and web application security.

1. A Latest Overall Scan Report of Code Scan will be auto generate for you. In a single glance of summary reports, you could see 4 scanners' result. 

2. You can also see past scanned reports under "Scan History" button to compare the previous results and current results. This is very useful if you have make correction or remediation on your code; or simply to compare with the latest possible vulnerabilities found.

The scan report will be summarised into 5 categories of CWE and CVE vulnerabilities' severity levels; Critical , High , Medium , Low and Information.

There are 2 ways to view details of vulnerabilities detected.

By each scanner

1. You can view individual scanner's results. Each scanner have its own automated Report compiled. Simply click if you want to looks at the details of scanned results.

All scanned results of all possible vulnerabilities detected will be automatically compared with industry Common Weakness Enumeration (CWE) and Common Vulnerability and Exposures (CVE) to determine the vulnerabilities' severity levels.

Each of these possible vulnerability detected will be automatically mapped into OWASP Top 10 List (2021) compliance which is the latest standard awareness document for developers and web application security.

You can easily view your latest source code's compliances based on this each scanned results.

By overall vulnerabilities

1. Go to left menu and select Vulnerabilities under MANAGE section. You can easily sort based the repositories/branches, severity level, compliance or type of scanner (of all scanners).

Step 3: Mitigate vulnerabilities

There are 2 ways to mitigate vulnerabilities detected.

By each scanner

1. Click on of the scanner to look at the details of vulnerability found. 

2. Click on "Mitigation & Task Assignment". Here you can sort the list based on severity that you intend to focus on.

2. For each vulnerability found, click  to view the details of vulnerability and how you and your team can mitigate it with AI-remediation suggestions. Also you can assign the mitigation task across team members and follow the mitigation status. 

By overall vulnerabilities

1. Go to left menu and select Vulnerabilities under MANAGE section. You can easily sort based the repositories/branches, severity level, compliance or type of scanner (of all scanners).

2. For each vulnerability found, click  to view the details of vulnerability and how you and your team can mitigate it with AI-remediation suggestions. Also you can assign the mitigation task across team members and follow the mitigation status. 

There are 2 main parts of mitigation:

Part 1 : Informations

• Vulnerability's type and information - to list in details information the found vulnerability, including the lines of code caused it.

Part 2 : AI Assistance

• AI Assistance False Positive Detector - to check with AI's analysis in real-time to ensure the detected vulnerability won't mistakenly identifies as a threat or risk.
• Task management - to assign the task across team members to fix and track the mitigation progress and status.

• AI Assistance Remediation Suggestion - AI's analysis in real-time and recommend remediation against the vulnerabilities.

Notes:

Each vulnerability detected or found have it own characteristic, type, severity and risk to you and company. That's why each vulnerability have it's own remediation to work on.