Integrate IaC security scanning into your SDLC in minutes
IaC Scanning built for iterative software development
CTO at ShopMonkey
Review
Review
Developers trust
Jit’s findings
Make many code and cloud security scanners feel like one
Detection
Semgrep provides lightweight static analysis security testing (SAST) for many languages. Compare Semgrep SAST results with other popular SAST tools. Jit adds our own rules to Semgrep to cover additional findings.
Use Gitleaks to surface hard-coded secrets that can be exploited by attackers to gain unauthorized access to the password-protected asset.
Use OSV-Scanner (by Google) to find existing vulnerabilities affecting your project’s dependencies. The tool uses the data provided by https://osv.dev. Support Python and PHP.
Use Trivy (by Aqua Security) to scan for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues.
Generate a Software Bill of Materials with Syft to quickly see dependencies in use.
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by a dedicated international team of volunteers. Use ZAP to run dynamic tests against web apps and APIs to surface a huge list of vulnerabilities.
Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.
Prowler is an spen source tool to perform AWS security best practices assessments, audits, continuous monitoring, hardening and forensics readiness. It contains more than 200 controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.
Legitify makes it east to detect and remediate misconfigurations and security risks across all your GitHub and GitLab assets.
Gosec provides static application security testing (SAST) for code written in Go.
Own
Own
Use Trufflehog to surface hard-coded secrets that can be exploited by attackers to gain unauthorized access to the password-protected asset. Trufflehog can determine whether an hard-coded secret will be exposed in production.
Surface known vulnerabilities in open source components written in Javascript or Typescript. NPM-audit is powered by the GitHub Advisory Database.
Kubescape (by Armo) provides vulnerability and misconfiguration scanning for IaC files being deployed to Kubernetes.
Chain-bench by Aqua anaalyzes your software supply chain against new CIS Benchmarks.
Jit BP-checker verifies the GitHub Branch Protection is properly configured.
Own
Own
Own
Own
Own
Own
Own