By Smithy Security scanning,results unification and enrichment tool (ASOC)
Security pipelines on Kubernetes. The purpose of this project is to provide a scalable and flexible framework to execute arbitrary security scanning tools on code and infrastructure while processing the results in a versatile way.
flowchart LR
S["Code Setup & Build"]
P_GoSec["Producer - GoSec (Golang)"]
P_SecBugs["Producer - SpotBugs (Java)"]
P_Bandit["Producer - Bandit (Python)"]
P_TFSec["Producer - TFSec (Terraform)"]
P_Aggregator["Producer - Results Aggregation"]
E_Deduplication["Enricher - Deduplication"]
E_Policy["Enricher - Policy"]
E_Aggregator["Enricher - Enriched Results Aggregator"]
C_Slack["Consumer - Slack"]
C_Elasticsearch["Consumer - Elasticsearch"]
C_Jira["Consumer - Jira"]
S-->P_TFSec
S-->P_GoSec
S-->P_SecBugs
S-->P_Bandit
P_TFSec-->P_Aggregator
P_GoSec-->P_Aggregator
P_SecBugs-->P_Aggregator
P_Bandit-->P_Aggregator
P_Aggregator-->E_Deduplication
P_Aggregator-->E_Policy
E_Policy-->E_Aggregator
E_Deduplication-->E_Aggregator
E_Aggregator-->C_Slack
E_Aggregator-->C_Elasticsearch
E_Aggregator-->C_Jira
The Getting Started tutorial explains how to get started with Smithy. You can also access our community contributed pipelines here.
This version of Smithy was announced at OWASP Appsec Dublin in 2023. Check out the slides and the video of the presentation.
If you have questions, reach out to us by opening a new issue on GitHub.
You can also get support on our Discord server.
Contributions are welcome, see the developing and releasing guides on how to get started.
Smithy is under the Apache 2.0 license. See the LICENSE file for details.