SecureCheckPlus by Accso is a web application that can be integrated into the CI/CD process via an adapter. It allows the identification, review, and documentation of already known vulnerabilities based on the libraries used.
This application was developed by the DevOps Community at Accso Accelerated Solutions in Germany. It was made opensource and published at GitHub in 2024. A manual about how to use the frontend is available here.
For more information see the its Accso Landing Page. For any inquiries, write mail to secure-check-plus-by@accso.de. For contributions and bug reports, see the GitHub issues.
SecureCheckPlus does not scan for vulnerabilities itself. This is done by industry standard tools such as OWASP.
SecureCheckPlus by Accso has been published under the Apache V2 Licence.
Although Secure Check Plus by Accso is mainly maintained by the DevOps Community at Accso we welcome suggestions, feature requests, bug reports, and contributions by the open source community. See the Contribution Readme for details.
For a full fledge installation of SecureCheckPlus by Accso you will need
- a PostgreSQL instance,
- a run-time environment for a Docker container, such as a native Docker daemon under Linux, a Docker Desktop installation under Windows and macOS or cloud based run-time such as Kubernetes,
- a software-pipeline building the software application that you would like to monitor.
Make sure you have a running PostgreSQL instance available. Create a new database and a user with access to the database (including permissions to create database object such as tables and indexes). For the subsequent steps we will assume that you have the following data at hand:
- the hostname (or IP address) of the PostgreSQL server,
- the port number (usually 5432) of the database,
- the name of the database,
- the name of the database user, and
- the password of the database user.
See the Server Installation Readme for the installation of the SecureCheckPlus Plus server. As soon as the server is set up, consult the Webfrontend Readme to create a configuration for the first project that you would like to monitor. This will give you
- the project id and
- the API key
for the final step which is to integrate the SecureCheckPlus adapter into your CI pipeline. See the Adapter Readme on how to modify your pipeline.
- .NET
- Java
- Node.js / NPM packages
- Ruby
- Python (experimental)
- PHP (experimental)
- Go (experimental)
- Swift (experimental)
Possible future feature (also see enhancement issues):
- Support for CycloneDX SBOM reports - More languages
- Support for Trivy reports - Images, Secrets, IaC files
- EMail notifications to developers.
See the API Readme.
See the Architecture Readme