sechub: one central and easy way to use different security tools with one API/Client
sechub
It enables the operation and integration of various security tools with one central API in a development environment.
SecHub server orchestrates different security tools by one API layer. Users call SecHub Server but not security tools directly, so projects/build pipelines do not need to implement different plugins etc. but just one single API. Also, no plugin is necessary: SecHub client – written in go – is able to scan synchronous and break a build pipeline when necessary. The client can be easily integrated into every build system!
Overview
What can be done with SecHub?
- easily integrate security tools
- centralize your security infrastructure
- switch between or combine different tools
- mitigate affects to your projects
- by just one single JSON file
How does it work?
User perspective
- Inside a JSON file, security setup is defined (e.g. code scan, infra scan, web scan,…)
- REST API or small native client (which is more convenient) is used to create a SecHub job
- SecHub Job execution can be done
- synchronous (break build on problems) or
- asynchronous (does not break build)
- Overview reports with listed vulnerabilities can be downloaded in JSON or HTML output format.
- Exact details are still provided by tools but can be easily accessed by SecHub reports with included links
Server perspective
- A server manages different SecHub Jobs
- A job belongs to a SecHub project
- A job can only be triggered by a user being a member of a project
- A project has a whitelist of URLs/IPs – so accidentally scanning of other IPs/URLs is not possible…
- Depending on the JSON configuration different product executors are started
- The product executor communicates with a security product by a dedicated product adapter.
- The product results are collected by SERECO (SecHub report collector)
What do you still need?
- An existing security infrastructure that can be managed by SecHub! It gives you a central point for your build pipeline, your delivery chain, etc. It helps to integrate, but it does not contain any security tools itself.
Which security tools are currently supported?
- Checkmarx
- Netsparker
- Nessus (but unfortunately REST API has changed/terminated in the new version)
