Code Security

To assess and scan your code at the earlier stages of development, you can use Check Point Code Security which brings CloudGuard security abilities to detect and prevent risk in cloud deployments into the CI/CD pipeline. Code Security provides one interface for various CI/CD security steps.

Code Security capabilities:

Scans your Infrastructure as Code (IaC) templates for risks
Checks your software for known vulnerabilities
Scans your collaboration and productivity tools

Your development team and/or DevSecOps team can use Code Security to scan:

Git repos, which semantics Code Security understands and as such is especially useful to scan source code.
Software libraries, such as Node.js npm packages, and Java Jars.
Software deliverables, such as Android apps pulled from Google Play.
Production artifacts, such as logs and storage.
Containers, such as Docker Docker (specifically, Docker Engine) is a software technology providing operating-system-level virtualization also known as containers. containers locally built or pulled from Docker Hub.

Code Security focuses on scanning the text irrespective of programming language. It does this either directly or with the Code Security Toolchain which deals with unpacking and reading complex input sources. In addition, you can use Code Security in other different scenarios, for example:

Add Code Security to CI as a build step
Code Security scans your codebase with an ever-growing array of detectors
If matches are translated to findings (sensitive data, credentials, or other risks), Code Security can fail the build (or not) and pinpoints the problem
Provide a full report for tracing the finding to the source file and position for easy risk assessment and mitigation

You can also use SPEQL (proprietary mini-detector query language) to enrich Code Security built-in detectors with your security policies. When you configure new detectors, you check them in to the code repository. For more information, see Building Detectors.

Secure by Design

It minimizes the surface area of attack by:

Doing the right thing by default and having security-by-design. For example, Code Security never shows you secrets it found, it will just lead you there.
Code Security never communicates your private data with the outside world, ever
Code Security never stores, indexes, or offloads sensitive file contents to another place - in or out of your data centers (not even temporary files) - it does all the scanning in real time in-memory. This is why performance in Code Security is by design, to support security by design.
Code Security is built with a safe, compiled, borrow-checked, and a programming language that has proven itself to excel, and is widely adopted in the security domain: Rust. No scripting languages, no toy languages, no compromise.

Input

An input source is any folder that hosts files.

File systems:

Git repositories - pre-commit or on CI
Home folders (~) - protect entire desktops
Document folders - scanning legal documents
Cloud storage folders - scanning files stored on Dropbox, Google Drive, and so on

And artifacts, such as:

Container file systems - as a container security solution
Android apps - as app static analysis engine
Websites - as a remote scraping and monitoring security solution
Npm modules - as a build/production verification layer after pushing a new module to production

Detectors

A detector is a way to formulate a security best practice, detection of secrets, and a logical way to do security by design.

Code Security comes with a premium, high-grade array of detectors and it also allows and encourages you and your teams to add detectors to it.

By letting you write your own custom detectors, we want to empower your team to build various policies such as:

Identify and sanitize private customer IDs and data
Special home-brew secrets for internal systems
Employ policies such as "a test-only credit card with a certain pattern should only exist in the /examples folder"

For more information, see Building Detectors.

Zero Configuration

Code Security integrates with your existing environment with zero configuration (without any setup from your side):

CI - Such as TravisCI, CircleCI, and others
Logging provider - Such as Elastic
Alert provider - Such as Sentry and PagerDuty
Automation Infrastructure - By provision of a raw JSON JavaScript Object Notation. A lightweight data interchange format. stream of events

Platforms

Code Security is a single binary (around 12 MB). It has no external dependencies, no OS dependencies, and no networking requirements.

It supports a binary for every major platform and has no problem to add new ones.

Binaries

Code Security can run on:

Linux (GNU + musl)
macOS
Windows
BSD

You can have Code Security run on every hardware, on-premises or cloud.