How it Works

The security plan contains security requirements (AppSec and non-AppSec) activated by the security champion.

According to your security requirements, Jit automatically executes security tools when the plan is committed as code on the .jit repository.

There are several events that can execute a Jit security requirement:

  1. When the requirement is added from the Jit platform.
  2. As soon as a new resource is monitored.
  3. On the schedule specified for the security requirement.
  4. For AppSec requirements, on GitHub Pull Requests (PR) and commits on your monitored repositories.
Jit Orchestrator - FlowsJit Orchestrator - Flows

Jit Orchestrator - Flows


AppSec vs. Non-AppSec requirements

Security tools that check code in GitHub repositories are considered AppSec.

Jit translates AppSec tools into a centralized CI workflow (security.yml).

AppSec tools have two execution modes—

  • Full scan of the default branch.
  • Incremental scan on developers' PR.

Current list of AppSec tools—

  • Static Code Analysis (SAST): Bandit, Semgrep, GoSec
  • Dependency check (SCA): npm-audit, Nancy, OWASP
  • Secrets detection: GitLeaks
  • Dockerfile scanning: Trivy
  • IaC security: KICS

Did this page help you?