Skip to content

SecureCheckPlus by Accso is a web application that can be integrated into the CI/CD process via an adapter. It allows the identification, review, and documentation of already known vulnerabilities based on the libraries used.

License

Notifications You must be signed in to change notification settings

accso/SecureCheckPlus

Repository files navigation

Overview

SecureCheckPlus by Accso is a web application that can be integrated into the CI/CD process via an adapter. It allows the identification, review, and documentation of already known vulnerabilities based on the libraries used.

This application was developed by the DevOps Community at Accso Accelerated Solutions in Germany. It was made opensource and published at GitHub in 2024. A manual about how to use the frontend is available here.

For more information see the its Accso Landing Page. For any inquiries, write mail to secure-check-plus-by@accso.de. For contributions and bug reports, see the GitHub issues.

Disclaimer

SecureCheckPlus does not scan for vulnerabilities itself. This is done by industry standard tools such as OWASP.

Licence

SecureCheckPlus by Accso has been published under the Apache V2 Licence.

Contribute

Although Secure Check Plus by Accso is mainly maintained by the DevOps Community at Accso we welcome suggestions, feature requests, bug reports, and contributions by the open source community. See the Contribution Readme for details.

Prerequisites

For a full fledge installation of SecureCheckPlus by Accso you will need

  • a PostgreSQL instance,
  • a run-time environment for a Docker container, such as a native Docker daemon under Linux, a Docker Desktop installation under Windows and macOS or cloud based run-time such as Kubernetes,
  • a software-pipeline building the software application that you would like to monitor.

Installation

Make sure you have a running PostgreSQL instance available. Create a new database and a user with access to the database (including permissions to create database object such as tables and indexes). For the subsequent steps we will assume that you have the following data at hand:

  • the hostname (or IP address) of the PostgreSQL server,
  • the port number (usually 5432) of the database,
  • the name of the database,
  • the name of the database user, and
  • the password of the database user.

See the Server Installation Readme for the installation of the SecureCheckPlus Plus server. As soon as the server is set up, consult the Webfrontend Readme to create a configuration for the first project that you would like to monitor. This will give you

  • the project id and
  • the API key

for the final step which is to integrate the SecureCheckPlus adapter into your CI pipeline. See the Adapter Readme on how to modify your pipeline.

Additional Informationen

Supported Languages By the OWASP Scanner

  • .NET
  • Java
  • Node.js / NPM packages
  • Ruby
  • Python (experimental)
  • PHP (experimental)
  • Go (experimental)
  • Swift (experimental)

Possible future feature (also see enhancement issues):

  • Support for CycloneDX SBOM reports - More languages
  • Support for Trivy reports - Images, Secrets, IaC files
  • EMail notifications to developers.

API Description

See the API Readme.

Architecture

See the Architecture Readme

About

SecureCheckPlus by Accso is a web application that can be integrated into the CI/CD process via an adapter. It allows the identification, review, and documentation of already known vulnerabilities based on the libraries used.

Topics

Resources

License

Stars

Watchers

Forks