Skip to main content

Security Scanners & Tools Catalog

Plexicus integrates 15 security scanner bundles plus external tool connectors. This guide explains which tools are available in your plan, how to configure them, and how severity levels are translated across different scanners.

Scanner Bundles Overview

Each bundle combines specialized tools to detect different types of vulnerabilities and misconfigurations. Select which bundles to enable when creating or updating an application.

BundleToolsDetectsPlan
plexicus-sastOpenGrep, BanditCode vulnerabilities, logic flawsStarter+
plexicus-scaGrypeVulnerable dependencies in package managersStarter+
plexicus-secretsGitleaks, TrufflehogHardcoded credentials, API keysStarter+
plexicus-containerTrivy (fs)Misconfigurations in Dockerfile, config filesScale+
plexicus-iacCheckov (IaC, Config, Container)Infrastructure-as-Code policy violationsScale+
plexicus-cicdCheckov (CI/CD)CI/CD pipeline misconfigurations (GitHub Actions, GitLab CI, etc.)Scale+
plexicus-cloudCloudSploitCloud infrastructure misconfigurationsScale+
plexicus-dastNucleiDynamic application security testing, HTTP vulnerabilitiesScale+
plexicus-pentestStrixAI-powered penetration testingScale+
plexicus-sbomSyftSoftware Bill of Materials (SBOM) generationScale+
plexicus-aibomCycloneDX MLBomAI Model Bill of Materials (AIBOM)Scale+
plexicus-cbomCycloneDX CBom, OpenGrep CryptoCryptographic Bill of Materials (CBOM)Scale+
plexicus-licenseTrivy (license scanner)License compliance violations and riskScale+
plexicus-scmChainBenchSupply chain security and SLSA complianceScale+
plexicus-registryTrivy (registry)Container registry and image vulnerabilitiesScale+

Source: /Users/jpalanco/Projects/platform/shared/tool_bundle_params.py:11-27

Tool Descriptions

SAST (Static Application Security Testing)

OpenGrep · Pattern-based vulnerability scanner for code. Detects business logic flaws, unsafe serialization, injection vulnerabilities. Supports dataflow tracing.

Bandit · Python-specific security linter. Detects hardcoded passwords, use of unsafe functions, insecure cryptography in Python code.

SCA (Software Composition Analysis)

Grype · Vulnerability database scanner for dependencies. Cross-references against multiple CVE databases (NVD, GitHub Security Advisory). Identifies vulnerable package versions across all major package managers.

Secrets Detection

Gitleaks · Detects secrets in Git history. Finds API keys, tokens, database credentials, private keys with regex and entropy detection.

Trufflehog · Detects secrets across filesystem. Supports verification against issuing services (AWS, Stripe, GitHub) to confirm active credentials.

Container & IaC

Trivy (Container) · Scans Dockerfile, Kubernetes manifests, and configuration files for misconfigurations. Checks CIS benchmarks and policy violations.

Checkov · Multi-framework IaC scanner. Detects policy violations in Terraform, CloudFormation, Kubernetes, Helm, Ansible, Azure Resource Manager. Includes CI/CD pipeline scanning (GitHub Actions, GitLab CI, Azure Pipelines).

Cloud Infrastructure

CloudSploit · Audits AWS, Azure, GCP cloud accounts. Detects overly permissive IAM, unencrypted storage, exposed databases, compliance drift.

DAST (Dynamic Application Security Testing)

Nuclei · Template-based vulnerability scanner. Probes running applications for HTTP misconfigurations, technology detection, default credentials, known CVEs.

Penetration Testing (AI-Powered)

Strix · Autonomous security testing agent. Explores application features, fuzzes inputs, identifies authentication bypasses and business logic flaws using AI-directed testing.

SBOM & Cryptography

Syft · Generates Software Bill of Materials (SBOM) in CycloneDX or SPDX format. Catalogs all dependencies with versions, file paths, and hash values.

CycloneDX MLBom · Generates AI Model Bill of Materials. Catalogs ML models, training datasets, model cards, and quantum-readiness assessment.

CycloneDX CBom · Detects cryptographic assets (algorithms, key sizes) and assesses quantum-safety compliance (NIST 2030/2035 deadlines).

OpenGrep Crypto · Specialized pattern scanner for cryptographic anti-patterns: weak algorithms, insufficient key sizes, unsafe modes of operation.

License Compliance

Trivy (License) · Scans all dependencies and catalogs licenses. Flags copyleft, proprietary, or unknown licenses that may require disclosure or impose restrictions.

Supply Chain Security

ChainBench · SLSA (Supply-chain Levels for Software Artifacts) compliance scanner. Audits source control practices, signed commits, artifact provenance, build system hardening.

Container Registry

Trivy (Registry) · Scans container images in registries (Docker Hub, ECR, Artifactory, Quay). Detects vulnerable base images and misconfigurations at registry pull time.

External Tool Integrations

Plexicus supports ingestion of results from external enterprise security tools:

ToolPurposeIntegration
Black Duck (Synopsys)Commercial SCA & license analysisAPI ingestion
Checkmarx (Checkmarx One)SAST + KICS (IaC)API ingestion
Fortify (Micro Focus)SAST + WebInspect (DAST)API ingestion
ProwlerAWS/Azure/GCP compliance scanner (CIS, NIST, PCI DSS)Direct execution
SteampipeMulti-cloud policy engineDirect execution
CodeQLGitHub SAST (recovers code-scanning alerts)GitHub webhook ingestion

Source: /Users/jpalanco/Projects/platform/plexalyzer/prov/tools_config.yaml

Parameter Configuration

Canonical Parameters

Three parameters are available on most bundles. These are translated to native CLI flags for each tool:

  • Severity · Minimum severity level to report (info, low, medium, high, critical)
  • Exclude Paths · Filesystem patterns to skip (e.g., node_modules/, test/)
  • Severity Filter · Advanced post-scan filtering when tool lacks native severity flag

Source: /Users/jpalanco/Projects/platform/shared/tool_bundle_params.py:51

Tool-Specific Parameters

Each tool exposes additional native parameters for fine-grained control:

OpenGrep:

  • config · Custom rule configuration
  • baseline_commit · Differential scanning (only new issues since commit)
  • dataflow_traces · Enable taint tracking
  • exclude_rule · Disable specific rules
  • max_lines_per_finding · Truncate findings if very verbose
  • timeout, max_target_bytes, exclude_minified_files, strict · Performance tuning

Bandit (Python):

  • tests · Comma-separated list of test IDs to run (e.g., B101, B102)
  • skips · Tests to skip
  • confidence_level · Report only high/medium/low confidence issues
  • ignore_nosec · Ignore # nosec comments

Grype (SCA):

  • fail_on · Exit with error code if vulnerabilities found
  • only_fixed / only_notfixed · Filter to fixed/unfixed CVEs
  • by_cve · Group by CVE instead of package
  • scope · Container layer scope (squashed vs. all-layers)
  • distro · OS distro hint (Alpine, Debian, etc.)

Trivy:

  • ignore_unfixed · Skip vulnerabilities without available patches
  • include_dev_deps · Include dev dependencies in SCA
  • pkg_types · Specific package type filter (jar, wheel, npm, etc.)
  • offline_scan · Run without internet access
  • detection_priority · Algorithm for detecting vulnerabilities

Checkov (IaC/CI/CD):

  • check · Run only specific checks (e.g., CKV_TF_1, CKV_AWS_8)
  • skip_check · Disable specific checks
  • skip_framework · Skip entire frameworks (e.g., terraform, kubernetes)
  • soft_fail · Report violations without failing scan

Nuclei (DAST):

  • templates · Specific template list (e.g., cves, exposures)
  • tags · Match templates by tag
  • exclude_tags · Exclude templates
  • type · Limit to specific vulnerability type (dns, http, network, ssl)
  • timeout, retries, max_redirects · Network tuning
  • passive · Run only non-intrusive checks

Gitleaks & Trufflehog (Secrets):

  • redact (Gitleaks) · Redact secret values in output
  • no_verification (Trufflehog) · Skip verification against issuing services
  • include_detectors / exclude_detectors · Specific detector filter

Syft (SBOM):

  • enrich · Enable package enrichment (all, golang, java, javascript)
  • scope · Image layer handling (squashed, all-layers, deep-squashed)

Strix (Pentest):

  • custom_prompt · Custom AI instructions (max 500 chars, sanitized)

Source: /Users/jpalanco/Projects/platform/shared/tool_bundle_params.py:110-207

Severity Translation Quirks

info

Not all tools have native severity filtering. Some require post-scan filtering to suppress low-severity findings.

Tools with Native Severity Flags

ToolNative LevelsCanonical Translation
OpenGrepINFO, WARNING, ERRORinfo→INFO, low→WARNING, medium→WARNING, high→ERROR, critical→ERROR
Banditall, low, medium, highinfo→all, low→low, medium→medium, high→high, critical→high
TrivyUNKNOWN, LOW, MEDIUM, HIGH, CRITICALinfo→LOW, low→LOW, medium→MEDIUM, high→HIGH, critical→CRITICAL
Nucleiinfo, low, medium, high, critical1:1 mapping (native matches canonical)

Source: /Users/jpalanco/Projects/platform/shared/tool_bundle_params.py:55-90

Tools WITHOUT Native Severity Flags (Post-Scan Filtering)

These tools do not accept a severity CLI flag. Severity filtering is applied after results are collected:

ToolWorkaround
GrypeUse fail_on to exit with error; severity filtering applied server-side
GitleaksSeverity filtering applied server-side
TrufflehogSeverity filtering applied server-side
SyftNo severity filtering (SBOM catalogs all components)
CheckovNo severity filtering on CLI (config-based filtering available)
StrixNo severity filtering (reports all findings)

Source: /Users/jpalanco/Projects/platform/shared/tool_bundle_params.py:84-90

What This Means: If you set severity: "high" on a bundle with Grype or Gitleaks, Plexicus collects all findings first, then filters to high/critical in the dashboard. This ensures no issues are missed during collection, but increases scan time slightly.

Exclude Paths Configuration

Most tools support excluding directories from scans (e.g., test directories, node_modules):

ToolParameterExample
OpenGrep--excludenode_modules/, *.test.js
Bandit-x (excluded_paths)*/tests/*, */test/*
Trivy--skip-dirstest/, tests/, .git/
Checkov--skip-pathtest/, node_modules/
Syft--excludeGlob patterns
Grype--excludeGlob patterns

Tools WITHOUT exclude support:

  • Nuclei, Gitleaks, Trufflehog, Strix (must be filtered via repository structure)

Source: /Users/jpalanco/Projects/platform/shared/tool_bundle_params.py:92-104

Per-Bundle Parameter Support

Not all canonical parameters are meaningful for every bundle. Here's what's exposed in the UI per bundle:

BundleSeverityExclude PathsTool-Specific Params
plexicus-sastYes (opengrep, bandit)
plexicus-scaYes (grype)
plexicus-secretsYes (gitleaks, trufflehog)
plexicus-containerYes (trivy)
plexicus-iacYes (checkov)
plexicus-cicdYes (checkov)
plexicus-cloudNone
plexicus-dastYes (nuclei)
plexicus-pentestYes (strix custom_prompt)
plexicus-sbomYes (syft)
plexicus-aibomNone
plexicus-cbomNone
plexicus-licenseNone
plexicus-scmNone
plexicus-registryNone

Source: /Users/jpalanco/Projects/platform/shared/tool_bundle_params.py:239-250

Tool Selection Guide

For Python Projects

Enable plexicus-sast (Bandit) + plexicus-sca (Grype) + plexicus-secrets (Gitleaks). If using cryptography: add plexicus-cbom.

For Node.js / JavaScript

Enable plexicus-sast (OpenGrep) + plexicus-sca (Grype) + plexicus-secrets (Trufflehog). For monorepos with Kubernetes: add plexicus-iac.

For Infrastructure-as-Code (Terraform, CloudFormation, Helm)

Enable plexicus-iac (Checkov) + plexicus-cloud (CloudSploit if AWS/Azure/GCP account connected).

For Docker / Container Images

Enable plexicus-container (Trivy fs) + plexicus-registry (Trivy registry) for scanning published images. Add plexicus-license for license compliance.

For CI/CD Pipelines (GitHub Actions, GitLab CI, etc.)

Enable plexicus-cicd (Checkov) to audit workflow definitions for security misconfigurations.

For APIs & Web Applications

Enable plexicus-dast (Nuclei) to probe running applications for common HTTP vulnerabilities. For advanced testing: add plexicus-pentest (Strix AI).

For Bill of Materials & Compliance

Enable plexicus-sbom (Syft) for dependency inventory. Add plexicus-cbom for cryptographic assets, plexicus-aibom for ML models, plexicus-license for license risk, plexicus-scm for supply chain.

See Also