The security plan contains security requirements (AppSec and non-AppSec) activated by the security champion.
According to your security requirements, Jit automatically executes security tools when the plan is committed as code on the
There are several events that can execute a Jit security requirement:
- When the requirement is added from the Jit platform.
- As soon as a new resource is monitored.
- On the schedule specified for the security requirement.
- For AppSec requirements, on GitHub Pull Requests (PR) and commits on your monitored repositories.
AppSec vs. Non-AppSec requirements
Security tools that check code in GitHub repositories are considered AppSec.
Jit translates AppSec tools into a centralized CI workflow (security.yml).
AppSec tools have two execution modes—
- Full scan of the default branch.
- Incremental scan on developers' PR.
Current list of AppSec tools—
- Static Code Analysis (SAST): Bandit, Semgrep, GoSec
- Dependency check (SCA): npm-audit, Nancy, OWASP
- Secrets detection: GitLeaks
- Dockerfile scanning: Trivy
- IaC security: KICS
Updated 2 days ago