Skip to content
Albert Tregnaghi edited this page Nov 2, 2020 · 11 revisions

About SecHub

SecHub enables the operation and integration of various security tools with one central API in a development environment.

What does this mean?

SecHub server orchestrates different security tools by one API layer. Users call SecHub Server but nor security tools directly, so projects / build pipelines do not need to implement different plugins etc. but just one single API. Also no plugin is necessary: SecHub client - written in go - is able to scan synchronous and break a build pipeline when necessary. The client can be easily integrated in every build system!

Overview

What can be done with SecHub?

  • easily integrate security tools

  • centralize your security infrastructure

  • switch between or combine different tools

  • mitigate affects to your projects

  • by just one single JSON file

How does it work ?

User perspective
  1. Inside a JSON file security setup is defined (e.g. code scan, infra scan, web scan,…​)

  2. REST API or small native client (which is more convenient) is used to create a SecHub job

  3. SecHub Job execution can be done

    • synchronous (break build on problems) or

    • asynchronous (does not break build)

  4. Overview reports with listed vulnerabilities can be downloaded in JSON or HTML output format.

  5. Exact details are still provided by tools, but can be easily access by SecHub reports with included links

Server perspective
  1. Server manages different SecHub Jobs

  2. A job belongs to a SecHub project

  3. A job can only be triggered by an user being a member of a project

  4. A project has a whitelist of URLs/IPs - so accidently scanning of other IPs/URLs is not possible…​

  5. Depending on the JSON configuration different product executors are started

  6. The product executor communicates with a security product by a dedicated product adapter.

  7. The product results are collected by SERECO (SecHub report collector)

What do you still need?

  • An existing security infrastructure which can be managed by SecHub! SecHub gives you central point for your build pipeline, your delivery chain etc. It helps to integrate, but it does not contain any security tools itself.

Which security tools are currently supported?

ℹ️
Currently only 3 tools (commercial products) are supported, but we will integrate more (and also open source tools) in near future!
  • Checkmarx

  • Netsparker

  • Nessus (but unfortunately REST API has changed/terminated in new version)

Documentation

Please refer to documentation wiki page

IDE integrations

IntelliJ (planned)

At the moment there is no integration in IDEA (IntelliJ) but we are working on it!

Clone this wiki locally