-
Notifications
You must be signed in to change notification settings - Fork 0
Tools
itarun.p edited this page Mar 2, 2026
·
2 revisions
All tools run as Docker containers via the Sidecar Runner.
Source Code / Target
│
▼
┌─────────────────────────── Sidecar Runner ───────────────────────────┐
│ │
│ job-dispatcher.sh --tool <name> --target <path/url> │
│ │ │
│ ├─── semgrep ──▶ ┌──────────┐ │
│ │ │ Semgrep │──▶ SAST findings │
│ │ └──────────┘ │
│ ├─── zap ──────▶ ┌──────────┐ │
│ │ │ ZAP │──▶ DAST findings │
│ │ └──────────┘ (3 modes) │
│ ├─── grype ────▶ ┌──────────┐ │
│ │ │ Grype │──▶ SCA findings │
│ │ └──────────┘ │
│ ├─── trivy ────▶ ┌──────────┐ │
│ │ │ Trivy │──▶ Container findings │
│ │ └──────────┘ │
│ ├─── checkov ──▶ ┌──────────┐ │
│ │ │ Checkov │──▶ IaC findings │
│ │ └──────────┘ │
│ ├─── gitleaks ─▶ ┌──────────┐ │
│ │ │ GitLeaks │──▶ Secret findings │
│ │ └──────────┘ │
│ └─── syft ─────▶ ┌──────────┐ │
│ │ Syft │──▶ SBOM components │
│ └──────────┘ │
│ │
│ result-collector.sh + json-normalizer.sh │
│ │ │
│ ▼ │
│ ┌───────────────────────────────────────┐ │
│ │ Normalized JSON (common format) │ │
│ │ { findings: [...], summary: {...} } │ │
│ └───────────────────┬───────────────────┘ │
│ │ │
└──────────────────────┼───────────────────────────────────────────────┘
│
┌────────────┼────────────┬────────────┐
▼ ▼ ▼ ▼
┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐
│ SARIF │ │ JSON │ │Markdown │ │ HTML │
│ (GitHub │ │ (API/ │ │ (PR │ │ (Stand- │
│ Code │ │ auto- │ │ comm- │ │ alone │
│ Scan) │ │ mation)│ │ ents) │ │ report)│
└─────────┘ └─────────┘ └─────────┘ └─────────┘
| Tool | Purpose | Docker Image | Scan Type |
|---|---|---|---|
| Semgrep | SAST | returntocorp/semgrep:latest |
Static analysis |
| ZAP | DAST | ghcr.io/zaproxy/zaproxy:stable |
Dynamic testing |
| Grype | SCA | anchore/grype:latest |
Dependency scanning |
| Trivy | Container | aquasec/trivy:latest |
Image scanning |
| Checkov | IaC | bridgecrew/checkov:latest |
IaC scanning |
| GitLeaks | Secrets | zricethezav/gitleaks:latest |
Secret detection |
| Syft | SBOM | anchore/syft:latest |
Bill of Materials |
Each tool has its own compose profile:
# Run specific tool
docker compose --profile semgrep up
# Run multiple tools
docker compose --profile semgrep --profile grype uprunner/job-dispatcher.sh routes scan requests:
# SAST scan (auto-loads A09 rules if present)
bash runner/job-dispatcher.sh --tool semgrep --target /path/to/code
# DAST scan (3 modes)
bash runner/job-dispatcher.sh --tool zap --target http://example.com --mode baseline
bash runner/job-dispatcher.sh --tool zap --target http://example.com --mode full
bash runner/job-dispatcher.sh --tool zap --target http://example.com --mode api --api-spec http://example.com/openapi.json
# SCA scan
bash runner/job-dispatcher.sh --tool grype --target /path/to/code
# Container scan
bash runner/job-dispatcher.sh --tool trivy --target myimage:latest
# IaC scan
bash runner/job-dispatcher.sh --tool checkov --target /path/to/terraform
# Secret scan
bash runner/job-dispatcher.sh --tool gitleaks --target /path/to/repo
# SBOM generation
bash runner/job-dispatcher.sh --tool syft --target myimage:latestAll tool outputs are normalized to a common JSON format:
{
"tool": "semgrep",
"scan_type": "sast",
"findings": [
{
"id": "FINDING-001",
"rule_id": "python.lang.security.audit.dangerous-exec-use",
"severity": "HIGH",
"title": "Dangerous exec() usage",
"location": { "file": "app.py", "line": 42 },
"cwe": "CWE-78"
}
],
"summary": { "total": 1, "critical": 0, "high": 1, "medium": 0, "low": 0 }
}| Format | File | Use Case |
|---|---|---|
| SARIF | sarif-formatter.sh |
IDE integration, GitHub Code Scanning |
| JSON | json-normalizer.sh |
API consumption, automation |
| Markdown | markdown-formatter.sh |
PR comments, reports |
| HTML | html-formatter.sh |
Standalone reports |