Skip to main content

Security Scanners

SettleMint uses advanced security scanners to maintain the integrity and security of our codebase and dependencies. This page provides detailed information about the scanners we use, including Aikido, TruffleHog, and Renovate.

Aikido

Aikido is a comprehensive security platform that provides a variety of tools for vulnerability management and penetration testing. It includes multiple scanners to cover different aspects of security:

  • ZAP (Zed Attack Proxy): Used for penetration testing and finding vulnerabilities in web applications. It helps identify issues such as SQL injection, cross-site scripting (XSS), and other security threats.
  • Trivy: A comprehensive security scanner for container images, file systems, and Git repositories. It detects vulnerabilities, misconfigurations, and secrets.
  • Clair: An open-source project for the static analysis of vulnerabilities in application containers (currently supports Docker). It scans container images for known vulnerabilities in the packages installed.
  • Nuclei: A fast, customizable vulnerability scanner based on templates. It helps in identifying security issues across various protocols.
  • Bandit: A security linter for Python code that finds common security issues in Python code.
  • Gitleaks: A tool for detecting hardcoded secrets like passwords, API keys, and tokens in Git repositories.
  • Syft: Used for generating Software Bill of Materials (SBOMs) and open source license scanning.
  • Grype: A vulnerability scanner for container images and filesystems.
  • Checkov: An infrastructure as code (IaC) static analysis tool that detects misconfigurations in cloud infrastructure.
  • Phylum: Detects malware in dependencies.
  • endoflife.date: Detects outdated and end-of-life software.

Aikido ensures that security is maintained throughout the development lifecycle by providing continuous monitoring and automated testing.

You can request the Aikido security scan report by following this link.

Cloud Infrastructure Integration

In addition to these scanners, Aikido is integrated with our cloud infrastructure to ensure secure operations. This integration allows us to run our infrastructure in a secure manner, leveraging the power of these tools to continuously monitor, assess, and improve the security posture of our cloud environments.

TruffleHog

TruffleHog is a tool for detecting secrets in the codebase. It scans for high-entropy strings and other potential secrets in the code repositories, ensuring that sensitive information such as API keys, passwords, and tokens are not exposed in the source code.

  • High-Entropy String Detection: Identifies strings that may be secrets based on entropy.
  • Pattern Matching: Uses regular expressions to identify potential secrets based on known patterns.

Renovate

Renovate is a dependency management tool that automates the process of updating dependencies. It regularly scans for outdated or vulnerable dependencies and creates pull requests to update them.

  • Automated Dependency Updates: Regularly scans and updates dependencies to the latest versions.
  • Pull Request Creation: Automatically generates pull requests for updates, simplifying the update process.
  • Compatibility Checks: Ensures that updates are compatible with the existing codebase, reducing the risk of breaking changes.

Chainguard Docker Images

We use Chainguard Docker images for most of the images we use. Chainguard images are known for their enhanced security features, which further strengthens our overall security posture. However, it's important to note that Chainguard does not provide images for everything, so we complement them with other solutions as needed.

Integration with CI/CD Pipeline

These security scanners are integrated into our CI/CD pipeline to provide continuous security checks and ensure that vulnerabilities are identified and addressed promptly.

  • Continuous Integration: Automated security scans are performed at each stage of the development process.
  • Continuous Deployment: Ensures that only secure and compliant code is deployed to production.

By using these advanced security scanners, SettleMint maintains a high level of security for its applications and infrastructure, protecting against a wide range of threats and vulnerabilities.