Security Scanners & Tools Catalog
Plexicus integrates 15 security scanner bundles plus external tool connectors. This guide explains which tools are available in your plan, how to configure them, and how severity levels are translated across different scanners.
Scanner Bundles Overview
Each bundle combines specialized tools to detect different types of vulnerabilities and misconfigurations. Select which bundles to enable when creating or updating an application.
| Bundle | Tools | Detects | Plan |
|---|---|---|---|
| plexicus-sast | OpenGrep, Bandit | Code vulnerabilities, logic flaws | Starter+ |
| plexicus-sca | Grype | Vulnerable dependencies in package managers | Starter+ |
| plexicus-secrets | Gitleaks, Trufflehog | Hardcoded credentials, API keys | Starter+ |
| plexicus-container | Trivy (fs) | Misconfigurations in Dockerfile, config files | Scale+ |
| plexicus-iac | Checkov (IaC, Config, Container) | Infrastructure-as-Code policy violations | Scale+ |
| plexicus-cicd | Checkov (CI/CD) | CI/CD pipeline misconfigurations (GitHub Actions, GitLab CI, etc.) | Scale+ |
| plexicus-cloud | CloudSploit | Cloud infrastructure misconfigurations | Scale+ |
| plexicus-dast | Nuclei | Dynamic application security testing, HTTP vulnerabilities | Scale+ |
| plexicus-pentest | Strix | AI-powered penetration testing | Scale+ |
| plexicus-sbom | Syft | Software Bill of Materials (SBOM) generation | Scale+ |
| plexicus-aibom | CycloneDX MLBom | AI Model Bill of Materials (AIBOM) | Scale+ |
| plexicus-cbom | CycloneDX CBom, OpenGrep Crypto | Cryptographic Bill of Materials (CBOM) | Scale+ |
| plexicus-license | Trivy (license scanner) | License compliance violations and risk | Scale+ |
| plexicus-scm | ChainBench | Supply chain security and SLSA compliance | Scale+ |
| plexicus-registry | Trivy (registry) | Container registry and image vulnerabilities | Scale+ |
Source: /Users/jpalanco/Projects/platform/shared/tool_bundle_params.py:11-27
Tool Descriptions
SAST (Static Application Security Testing)
OpenGrep · Pattern-based vulnerability scanner for code. Detects business logic flaws, unsafe serialization, injection vulnerabilities. Supports dataflow tracing.
Bandit · Python-specific security linter. Detects hardcoded passwords, use of unsafe functions, insecure cryptography in Python code.
SCA (Software Composition Analysis)
Grype · Vulnerability database scanner for dependencies. Cross-references against multiple CVE databases (NVD, GitHub Security Advisory). Identifies vulnerable package versions across all major package managers.
Secrets Detection
Gitleaks · Detects secrets in Git history. Finds API keys, tokens, database credentials, private keys with regex and entropy detection.
Trufflehog · Detects secrets across filesystem. Supports verification against issuing services (AWS, Stripe, GitHub) to confirm active credentials.
Container & IaC
Trivy (Container) · Scans Dockerfile, Kubernetes manifests, and configuration files for misconfigurations. Checks CIS benchmarks and policy violations.
Checkov · Multi-framework IaC scanner. Detects policy violations in Terraform, CloudFormation, Kubernetes, Helm, Ansible, Azure Resource Manager. Includes CI/CD pipeline scanning (GitHub Actions, GitLab CI, Azure Pipelines).
Cloud Infrastructure
CloudSploit · Audits AWS, Azure, GCP cloud accounts. Detects overly permissive IAM, unencrypted storage, exposed databases, compliance drift.
DAST (Dynamic Application Security Testing)
Nuclei · Template-based vulnerability scanner. Probes running applications for HTTP misconfigurations, technology detection, default credentials, known CVEs.
Penetration Testing (AI-Powered)
Strix · Autonomous security testing agent. Explores application features, fuzzes inputs, identifies authentication bypasses and business logic flaws using AI-directed testing.
SBOM & Cryptography
Syft · Generates Software Bill of Materials (SBOM) in CycloneDX or SPDX format. Catalogs all dependencies with versions, file paths, and hash values.
CycloneDX MLBom · Generates AI Model Bill of Materials. Catalogs ML models, training datasets, model cards, and quantum-readiness assessment.
CycloneDX CBom · Detects cryptographic assets (algorithms, key sizes) and assesses quantum-safety compliance (NIST 2030/2035 deadlines).
OpenGrep Crypto · Specialized pattern scanner for cryptographic anti-patterns: weak algorithms, insufficient key sizes, unsafe modes of operation.
License Compliance
Trivy (License) · Scans all dependencies and catalogs licenses. Flags copyleft, proprietary, or unknown licenses that may require disclosure or impose restrictions.
Supply Chain Security
ChainBench · SLSA (Supply-chain Levels for Software Artifacts) compliance scanner. Audits source control practices, signed commits, artifact provenance, build system hardening.
Container Registry
Trivy (Registry) · Scans container images in registries (Docker Hub, ECR, Artifactory, Quay). Detects vulnerable base images and misconfigurations at registry pull time.
External Tool Integrations
Plexicus supports ingestion of results from external enterprise security tools:
| Tool | Purpose | Integration |
|---|---|---|
| Black Duck (Synopsys) | Commercial SCA & license analysis | API ingestion |
| Checkmarx (Checkmarx One) | SAST + KICS (IaC) | API ingestion |
| Fortify (Micro Focus) | SAST + WebInspect (DAST) | API ingestion |
| Prowler | AWS/Azure/GCP compliance scanner (CIS, NIST, PCI DSS) | Direct execution |
| Steampipe | Multi-cloud policy engine | Direct execution |
| CodeQL | GitHub SAST (recovers code-scanning alerts) | GitHub webhook ingestion |
Source: /Users/jpalanco/Projects/platform/plexalyzer/prov/tools_config.yaml
Parameter Configuration
Canonical Parameters
Three parameters are available on most bundles. These are translated to native CLI flags for each tool:
- Severity · Minimum severity level to report (info, low, medium, high, critical)
- Exclude Paths · Filesystem patterns to skip (e.g.,
node_modules/,test/) - Severity Filter · Advanced post-scan filtering when tool lacks native severity flag
Source: /Users/jpalanco/Projects/platform/shared/tool_bundle_params.py:51
Tool-Specific Parameters
Each tool exposes additional native parameters for fine-grained control:
OpenGrep:
config· Custom rule configurationbaseline_commit· Differential scanning (only new issues since commit)dataflow_traces· Enable taint trackingexclude_rule· Disable specific rulesmax_lines_per_finding· Truncate findings if very verbosetimeout,max_target_bytes,exclude_minified_files,strict· Performance tuning
Bandit (Python):
tests· Comma-separated list of test IDs to run (e.g., B101, B102)skips· Tests to skipconfidence_level· Report only high/medium/low confidence issuesignore_nosec· Ignore# noseccomments
Grype (SCA):
fail_on· Exit with error code if vulnerabilities foundonly_fixed/only_notfixed· Filter to fixed/unfixed CVEsby_cve· Group by CVE instead of packagescope· Container layer scope (squashed vs. all-layers)distro· OS distro hint (Alpine, Debian, etc.)
Trivy:
ignore_unfixed· Skip vulnerabilities without available patchesinclude_dev_deps· Include dev dependencies in SCApkg_types· Specific package type filter (jar, wheel, npm, etc.)offline_scan· Run without internet accessdetection_priority· Algorithm for detecting vulnerabilities
Checkov (IaC/CI/CD):
check· Run only specific checks (e.g., CKV_TF_1, CKV_AWS_8)skip_check· Disable specific checksskip_framework· Skip entire frameworks (e.g., terraform, kubernetes)soft_fail· Report violations without failing scan
Nuclei (DAST):
templates· Specific template list (e.g., cves, exposures)tags· Match templates by tagexclude_tags· Exclude templatestype· Limit to specific vulnerability type (dns, http, network, ssl)timeout,retries,max_redirects· Network tuningpassive· Run only non-intrusive checks
Gitleaks & Trufflehog (Secrets):
redact(Gitleaks) · Redact secret values in outputno_verification(Trufflehog) · Skip verification against issuing servicesinclude_detectors/exclude_detectors· Specific detector filter
Syft (SBOM):
enrich· Enable package enrichment (all, golang, java, javascript)scope· Image layer handling (squashed, all-layers, deep-squashed)
Strix (Pentest):
custom_prompt· Custom AI instructions (max 500 chars, sanitized)
Source: /Users/jpalanco/Projects/platform/shared/tool_bundle_params.py:110-207
Severity Translation Quirks
Not all tools have native severity filtering. Some require post-scan filtering to suppress low-severity findings.
Tools with Native Severity Flags
| Tool | Native Levels | Canonical Translation |
|---|---|---|
| OpenGrep | INFO, WARNING, ERROR | info→INFO, low→WARNING, medium→WARNING, high→ERROR, critical→ERROR |
| Bandit | all, low, medium, high | info→all, low→low, medium→medium, high→high, critical→high |
| Trivy | UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL | info→LOW, low→LOW, medium→MEDIUM, high→HIGH, critical→CRITICAL |
| Nuclei | info, low, medium, high, critical | 1:1 mapping (native matches canonical) |
Source: /Users/jpalanco/Projects/platform/shared/tool_bundle_params.py:55-90
Tools WITHOUT Native Severity Flags (Post-Scan Filtering)
These tools do not accept a severity CLI flag. Severity filtering is applied after results are collected:
| Tool | Workaround |
|---|---|
| Grype | Use fail_on to exit with error; severity filtering applied server-side |
| Gitleaks | Severity filtering applied server-side |
| Trufflehog | Severity filtering applied server-side |
| Syft | No severity filtering (SBOM catalogs all components) |
| Checkov | No severity filtering on CLI (config-based filtering available) |
| Strix | No severity filtering (reports all findings) |
Source: /Users/jpalanco/Projects/platform/shared/tool_bundle_params.py:84-90
What This Means: If you set severity: "high" on a bundle with Grype or Gitleaks, Plexicus collects all findings first, then filters to high/critical in the dashboard. This ensures no issues are missed during collection, but increases scan time slightly.
Exclude Paths Configuration
Most tools support excluding directories from scans (e.g., test directories, node_modules):
| Tool | Parameter | Example |
|---|---|---|
| OpenGrep | --exclude | node_modules/, *.test.js |
| Bandit | -x (excluded_paths) | */tests/*, */test/* |
| Trivy | --skip-dirs | test/, tests/, .git/ |
| Checkov | --skip-path | test/, node_modules/ |
| Syft | --exclude | Glob patterns |
| Grype | --exclude | Glob patterns |
Tools WITHOUT exclude support:
- Nuclei, Gitleaks, Trufflehog, Strix (must be filtered via repository structure)
Source: /Users/jpalanco/Projects/platform/shared/tool_bundle_params.py:92-104
Per-Bundle Parameter Support
Not all canonical parameters are meaningful for every bundle. Here's what's exposed in the UI per bundle:
| Bundle | Severity | Exclude Paths | Tool-Specific Params |
|---|---|---|---|
| plexicus-sast | ✓ | ✓ | Yes (opengrep, bandit) |
| plexicus-sca | ✗ | ✓ | Yes (grype) |
| plexicus-secrets | ✗ | ✗ | Yes (gitleaks, trufflehog) |
| plexicus-container | ✓ | ✓ | Yes (trivy) |
| plexicus-iac | ✗ | ✓ | Yes (checkov) |
| plexicus-cicd | ✗ | ✓ | Yes (checkov) |
| plexicus-cloud | ✗ | ✗ | None |
| plexicus-dast | ✓ | ✗ | Yes (nuclei) |
| plexicus-pentest | ✗ | ✗ | Yes (strix custom_prompt) |
| plexicus-sbom | ✗ | ✓ | Yes (syft) |
| plexicus-aibom | ✗ | ✗ | None |
| plexicus-cbom | ✗ | ✗ | None |
| plexicus-license | ✗ | ✓ | None |
| plexicus-scm | ✗ | ✗ | None |
| plexicus-registry | ✗ | ✗ | None |
Source: /Users/jpalanco/Projects/platform/shared/tool_bundle_params.py:239-250
Tool Selection Guide
For Python Projects
Enable plexicus-sast (Bandit) + plexicus-sca (Grype) + plexicus-secrets (Gitleaks). If using cryptography: add plexicus-cbom.
For Node.js / JavaScript
Enable plexicus-sast (OpenGrep) + plexicus-sca (Grype) + plexicus-secrets (Trufflehog). For monorepos with Kubernetes: add plexicus-iac.
For Infrastructure-as-Code (Terraform, CloudFormation, Helm)
Enable plexicus-iac (Checkov) + plexicus-cloud (CloudSploit if AWS/Azure/GCP account connected).
For Docker / Container Images
Enable plexicus-container (Trivy fs) + plexicus-registry (Trivy registry) for scanning published images. Add plexicus-license for license compliance.
For CI/CD Pipelines (GitHub Actions, GitLab CI, etc.)
Enable plexicus-cicd (Checkov) to audit workflow definitions for security misconfigurations.
For APIs & Web Applications
Enable plexicus-dast (Nuclei) to probe running applications for common HTTP vulnerabilities. For advanced testing: add plexicus-pentest (Strix AI).
For Bill of Materials & Compliance
Enable plexicus-sbom (Syft) for dependency inventory. Add plexicus-cbom for cryptographic assets, plexicus-aibom for ML models, plexicus-license for license risk, plexicus-scm for supply chain.
See Also
- xBOM (Bill of Materials) — Manage SBOM, CBOM, AIBOM exports and VEX statements
- Compliance Dashboard — Map findings to compliance frameworks
- Findings Remediation — Track and fix scanner discoveries