Enable code security analysis
-
Introducing ArmourZero Code Security Analysis
See moreAmourZero's AI-powered Code Security Analysis combined multiple security code scanners to seamlessly detect and analyse source code or compiled versions of code to help find security flaws within your software development lifecycle (SDLC) and in your DevOps (Development Operations) methodology and practice.
These scanners are categorised as:
1. Static Application Security Testing (SAST) - to looks at the source code to check for coding and design flaws that could allow for malicious code injection.
2. Infrastructure as Code (IaC) - to find code vulnerability which automates the provisioning of infrastructure, enabling your organisation to develop, deploy, and scale cloud applications with greater speed, less risk, and reduced cost.
3. Software Composition Analysis (SCA) - to find open-source libraries and components that are being used by your code by analyzing information from multiple sources such as file hashes, binaries and more.
4. Secret Scanning - to find any sensitive information such as private keys, API secrets and tokens, etc. It does so by looking at file names, extensions, and content, attempting to match them against a list of signatures.
AmourZero's AI-powered Code Security Analysis seamlessly integrate (link) code security analysis into your cloud software development platforms, without the need to copy or retrieve any of your confidential source codes. Everything done within your DevOps pipeline tools.
Supported DevOps pipeline tools:
1. Github
2. Gitlab
3. Bitbucket
4. CircleCI
5. Azure Pipeline
The scanned results of all possible vulnerabilities detected will then be compared with industry Common Weakness Enumeration (CWE) and Common Vulnerability and Exposures (CVE) to determine the vulnerabilities' severity levels. Each of these possible vulnerability detected will then be mapped into OWASP Top 10 List (2021) compliance which is the latest standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
There are 5 categories of CWE and CVE vulnerabilities' severity levels.
- Critical
- High
- Medium
- Low
- Information.
Integrates your cloud software development platforms to start with AmourZero's AI-powered Code Security Analysis immediately, find all possible vulnerabilities faster than attackers.
-
How to integrate into DevOps pipeline tools
See moreAmourZero's AI-powered Code Security Analysis seamlessly integrates code security analysis into your cloud software development platforms, without the need to copy or retrieve any of your confidential source codes. Everything done within your DevOps pipeline tools.
Supported DevOps pipeline tools:
1. Github
2. Gitlab
3. Bitbucket
4. CircleCI
5. Azure Pipeline
Step 1: Obtain unique API integration key
1. Go to left menu and select "Configuration" under DEVSECOPS section. You will see an unique API Key that have generated for you. Copy that API Key for next step.
Step 2: Create project and branch
Depending on your subscribed plan, you can create the number of project according to your needs.
1. Go to left menu and select "Projects" under DEVSECOPS section. Click on the "Add New Project".
2. Named your project and click "Create Project".
3. Click on the Project ID or the three dots action icon on the project, select "View Project".
4. Create a branch by clicking "Create New Branch".
Notes:
It is very important to name your branch that match and identical with your working project branch name in your repository.
Step 3: Integrating to your DevOps
Integration to your DevOps pipeline tools just a one-time setup task! Yes it's that's easy. Depending on which DevOps pipeline tools that you currently using, each platform comes with different but simple configurations.
You can refer to below links for the DevOps pipeline tools' configurations.
Congratulation! You have completed the seamless integration of security into your DevOps. The Code Security Analysis will be done automatically and at each time you and your team committed a code in the project and branch! Experience the DevSecOps evolution and view the scan results at your convenience.
-
How to enable auto scan
See moreAfter you successfully obtained Latest Overall Scan Reports, you can decide whether to have the scans automatically run whenever you committed your code or you would want to scan based on your needs.
Enable auto scan
1. Go to left menu and select "Projects" under DEVSECOPS section and click on the project you intend to configure.
2. You may turn on/off the Autorun option.
-
How to view and mitigate vulnerabilities
See moreYou can easily view Code Security Analysis scanned results on all projects after scan triggered. All scan results will be listed in Latest Overall Scan Reports.
Step 1: Select the project
1. Go to left menu and select "Projects" under DEVSECOPS section. Click on the Project ID or the three dots action icon on the project, select "View Project".
Step 2: View details of vulnerabilities detected
All scanned results of all possible vulnerabilities detected will be automatically compared with industry Common Weakness Enumeration (CWE) and Common Vulnerability and Exposures (CVE) to determine the vulnerabilities' severity levels.
Each of these possible vulnerability detected will be automatically mapped into OWASP Top 10 List (2021) compliance which is the latest standard awareness document for developers and web application security.
1. A Latest Overall Scan Report of Code Security Analysis will be auto generate for you. In a single glance of summary reports, you could see 4 scanners' result.
2. You can also see past scanned reports under "SCAN HISTORY" tab to compare the previous results and current results. This is very useful if you have make correction or remediation on your code; or simply to compare with the latest possible vulnerabilities found.
The scan report will be summarised into 5 categories of CWE and CVE vulnerabilities' severity levels; Critical, High, Medium, Low and Information.
There are 2 ways to view details of vulnerabilities detected.
By each scanner
1. You can view individual scanner's results. Each scanner have its own automated Report compiled. Simply click "View Report" if you want to looks at the details of scanned results.
2. Click on "Vulnerabilities Detected" (default selection). You will see each scanner details report.
All scanned results of all possible vulnerabilities detected will be automatically compared with industry Common Weakness Enumeration (CWE) and Common Vulnerability and Exposures (CVE) to determine the vulnerabilities' severity levels.
Each of these possible vulnerability detected will be automatically mapped into OWASP Top 10 List (2021) compliance which is the latest standard awareness document for developers and web application security.
You can easily view your latest source code's compliances based on this each scanned results.
By overall vulnerabilities
1. Go to left menu and select Vulnerabilities under MANAGE section. You can easily sort based the project/branches, severity level, compliance or type of scanner (of all scanners).
Step 3: Mitigate vulnerabilities
There are 2 ways to mitigate vulnerabilities detected.
By each scanner
1. Click on "Mitigation & Task Assignment". Here you can sort the list based on severity that you intend to focus on.
2. For each vulnerability found, click "Mitigate" to view the details of vulnerability and how you and your team can mitigate it with AI-remediation suggestions. Also you can assign the mitigation task across team members and follow the mitigation status.
By overall vulnerabilities
1. Go to left menu and select Vulnerabilities under MANAGE section. You can easily sort based the project/branches, severity level, compliance or type of scanner (of all scanners).
2. For each vulnerability found, click "Mitigate" to view the details of vulnerability and how you and your team can mitigate it with AI-remediation suggestions. Also you can assign the mitigation task across team members and follow the mitigation status.
There are 2 main parts of mitigation:
Part 1
- AI False Positive Detector - to check with AI's analysis in real-time to ensure the detected vulnerability won't mistakenly identifies as a threat or risk.
- Task management - to assign the task across team members to fix and track the mitigation progress and status.
Part 2
- Vulnerability's type and information - to list in details information the found vulnerability.
- Generated By AI - to check with AI's analysis and it's recommended remediation in real-time.
Notes:
Each vulnerability detected or found have it own characteristic, type, severity and risk to you and company. That's why each vulnerability have it's own remediation to work on. That sometime to learn on about ArmourZero's AI-powered false positive detector and recommended remediation in the links provided above.
Get in touch
Email us
Reach out to our team on any matters
Request demo
Request a demo from our consultant
Start for free
Sign up for free