Continuous DevSecOps — every push, eleven scanners.
Connect your source once. Every git push fans out to 11 scanners; findings are auto-mapped to OWASP · CERT-In · DPDP · RBI · SEBI · IRDAI, and routed to AI agents that open auto-fix PRs. No pasting code into textareas.
AppSec posture · acme/platform
Open findings · live
Regulator coverage · India
🧪Static Analysis (SAST)
Semgrep rule-pack + Aria AI rules on every push. SQL injection, XSS, command-injection, crypto weakness, deserialisation, SSRF, path traversal — flagged with auto-fix suggestions and blocking PR gate.
Findings · acme/platform@main
| Severity | Finding | File | Compliance | Action |
|---|
✨ AI auto-fix preview
Aria reads each finding's call-graph, generates a typed patch, opens a PR with unit-test coverage & compliance annotation. Developer merges.
- cur.execute("SELECT * FROM users WHERE id=" + uid) + cur.execute("SELECT * FROM users WHERE id=%s", (uid,))
CWE-89 · SQLi · adds test_sqli_param_binding📜Dependency Scanning (SCA)
OSV + NVD + GitHub Advisory lookups across npm, pip, maven, go, cargo, rubygems. Critical CVE SLA 72h. License-violation blocks build. Auto-PR for patch-available upgrades.
Vulnerable packages
| Severity | Package | Installed → Fixed | CVE · Compliance | Action |
|---|
📋SBOM Generator
CycloneDX 1.5 / SPDX 2.3 inventory attached to every release. Stored 7 years. Queryable when the next Log4Shell drops. Required by US EO 14028 and incoming CERT-In mandate.
Recent SBOMs
| Artifact | Release | Format | Components | Attestation | Action |
|---|
🔒Secrets Scanner
Pre-receive git hook blocks 200+ secret patterns + entropy. Full history walk on first connect. AWS / GitHub / Stripe / Slack tokens auto-revoked via vendor APIs. Rotation SLA < 4h for anything that slipped.
Detected secrets (across git history)
| Severity | Type | Location | Status | Action |
|---|
🏗Infrastructure-as-Code
Checkov · tfsec · kube-linter · KICS run on every Terraform / Helm / Dockerfile / Pulumi PR. Block merge on CRIT. Per-cloud rule-pack. Exception workflow with auto-expiring waivers.
Misconfigurations
| Severity | Finding | File · Resource | Compliance | Action |
|---|
📦Container Analyzer
Trivy + Grype layer-by-layer scan. Dockerfile best-practices. Digest-pinning verified. Runs on every image tag push to GHCR / ECR / GAR / ACR. Admission-controller blocks unsigned images at deploy.
Image vulnerabilities
| Severity | Issue | Image · Layer | Compliance | Action |
|---|
🗺Production Source-Map Exposure
Crawls the prod frontend and fails the build if .map files are reachable. Source maps leak unminified code + internal API paths.
Source map exposure scanner — available in our Q3 release
We're holding this scanner back until it can do the full closed loop:
crawl your production frontend, harvest secrets and internal API paths
from any reachable .map file, and auto-rotate or open a
webpack patch PR. Shipping just a half-loop scanner would fail the
ChatGPT Test — that's a 20-line script anyone can write.
For early access ahead of Q3, email dayananda@anthrotech.in — we are onboarding a small number of design partners for this shield.
📎Document-Metadata Scrubber
Strips PDF / Office metadata that leaks author usernames, internal paths, software versions, GPS coords on publish.
Release metadata scrubber — available in our Q3 release
The scrubber depends on per-channel publish hooks (Marketing CMS, Sales enablement, Legal e-sign, HR portals) that we are wiring customer-by-customer rather than shipping a generic ExifTool wrapper. A button that runs ExifTool on a one-off upload would fail the ChatGPT Test.
For early access ahead of Q3, email dayananda@anthrotech.in — we are onboarding a small number of design partners for this shield.
📊AppSec Posture
The exec scorecard — rolls up SAST · SCA · Secrets · DAST · RASP into a single organisation grade. Mapped to OWASP ASVS, NIST SSDF, and CERT-In guidelines. Trend vs last quarter.
📊 Org-wide Summary LAYER 4
🧪 SAST — every repo, every PR (T120)
Semgrep rule-pack. Block merge on HIGH. Author-assigned fixes. Tracks mean-time-to-fix per severity.
| Repo | Runs/week | Findings (30d) | MTTF | Block rate |
|---|---|---|---|---|
| acme/platform | 214 | HIGH 2 · MED 14 | 22h | 100% |
| acme/api | 186 | HIGH 0 · MED 8 | — | 100% |
| acme/billing | 94 | HIGH 1 · MED 12 | 41h | 100% |
| acme/mobile | 62 | HIGH 0 · MED 4 | — | 100% |
| acme/infra (tf) | 38 | HIGH 3 · MED 22 | 54h | 100% |
📜 SCA — CVE · License · EOL (T121)
Snyk / OSV / Trivy daily pull. Auto-PR for patch-available. Critical CVE SLA 72h. License-violation blocks build.
| Finding | Package | Repo | Severity | Action |
|---|---|---|---|---|
| CVE-2026-1841 | libxml2 2.9.14 | platform | CRIT | patch PR opened |
| CVE-2026-2018 | axios 0.21.4 | api | HIGH | upgrade 1.6.x |
| License violation | sharp-gpl | mobile | AGPL | remove · use sharp |
| EOL upstream | python 3.8 | etl | EOL | upgrade to 3.12 |
| CVE-2025-52812 | golang 1.21.4 | infra | CRIT | auto-PR in review |
🔒 Secret-Scan Push-Protection (T122)
Pre-receive hook blocks secret patterns on every repo org-wide. Rotation SLA < 4h on any leak that slipped through.
| Repo coverage | Patterns | Blocks (30d) | Slipped | Rotation SLA |
|---|---|---|---|---|
| 312 / 312 (100%) | 142 (git-versioned) | 42 pre-commit | 4 | 3h 12m mean |
🎯 DAST — Nightly on staging (T123)
ZAP / Burp-Enterprise with auth-cookie replay. Diff vs prior night. Feeds triage queue.
| Target | Last run | Findings (diff) | Auth replay | State |
|---|---|---|---|---|
| stage.[your-org].com | 04:18 today | +2 HIGH · +6 MED | ✓ | TRIAGE |
| stage-api.[your-org].com | 04:22 today | 0 new | ✓ | CLEAN |
| stage-billing.[your-org].com | 04:26 today | +1 HIGH (IDOR) | ✓ | P0 |
🛡 RASP — Runtime App Self-Defense (T128)
Blocks exploit-attempt patterns in real time on top-5 critical apps. Telemetry streams to secops data lake.
| App | RASP agent | Blocks (7d) | Kind | Perf overhead |
|---|---|---|---|---|
| payments-api | Contrast | 18 | SQLi · SSRF · CMD-inj | 3.2% |
| billing-web | Contrast | 4 | deserialization attempt | 2.8% |
| auth-svc | Contrast | 12 | path-traversal · SSRF | 3.1% |
| kyc-upload | Contrast | 6 | XXE attempt | 2.9% |
| admin-console | Contrast | 2 | JWT tamper | 3.0% |
🔌API Security
Runtime traffic vs OpenAPI spec. OWASP API Top-10 coverage. Shadow / zombie endpoint detection, BOLA · IDOR scoring, rate-limit drift, SSRF → IMDS hardening, auth-scope audit.
🔌 API Overview LAYER 4
🔎 API Discovery + Schema Drift (T124)
Compare prod traffic to OpenAPI spec. Undocumented endpoints get an owner assignment within the sprint.
| Endpoint | Method | Traffic (7d) | In spec? | Owner | State |
|---|---|---|---|---|---|
/api/v1/billing/invoice/:id | GET | 42k | ✓ | billing-eng | OK |
/api/v1/internal/debug/dump | POST | 120 | ✗ | — | ZOMBIE · REMOVE |
/api/v2/kyc/documents/:uuid | GET | 12k | ✓ | kyc-team | OK |
/api/v1/admin/user/:id/impersonate | POST | 6 | spec missing | platform | DOCUMENT + AUTHZ |
/healthz | GET | 4.2M | ✓ | platform | OK |
🎯 BOLA / IDOR Detector (T125)
Identity-A accessing Identity-B's object pattern on the API wire. Per-endpoint authorization pattern check.
| Endpoint | Pattern | Score | Action |
|---|---|---|---|
/api/v1/invoice/:id | user_42 reading user_99's invoices | 91 | block + open ticket |
/api/v1/users/:id/profile | mass enumeration /1..9999 | 88 | rate-limit + auth-check |
/api/v2/support/tickets/:id | cross-tenant guess | 62 | investigate |
⏲ API Rate-Limit + Abuse-Prevention (T126)
Per-key · per-IP · per-endpoint quotas. Anomaly detect on new-client-suddenly-noisy.
| Endpoint | Quota | Triggers (24h) | Top offender | Action |
|---|---|---|---|---|
/auth/login | 5 / 10s / IP | 84 | 185.22.x.x · AS45090 | block 24h |
/api/v1/search | 60 / min / key | 12 | key pk_live_…8b | 429 returned |
/api/v1/export | 10 / min / user | 4 | internal analytics | 429 + owner notify |
/api/v2/bulk | 2 / sec / org | 18 | vendor integration | upgrade path emailed |
🔐 SSRF → IMDS Block (T127)
Egress from workload reachable only to allow-listed. IMDSv2 required. Hop-count and 169.254.169.254 hard-blocked from application VPCs.
| Control | Status | Coverage | Last verified |
|---|---|---|---|
| IMDSv2 required (hop-limit 1) | ENFORCED | 100% of EC2 | today |
| Metadata endpoint blocked from app VPCs | ENFORCED | SCP + NACL | today |
| Outbound URL fetcher allow-list | ENFORCED | 74 FQDNs | today |
| Kubernetes metadata API firewalled | ENFORCED | all clusters | today |
| SSRF fuzz · quarterly drill | PASS | 5 apps | 14d ago |
📦Supply Chain Integrity
SLSA L3 provenance, sigstore signatures, dependency pinning, typosquat detection, AI-BOM for every model. The build pipeline itself is a control-point — SolarWinds · Codecov · xz-utils would not have shipped.
📦 Supply-Chain Overview LAYER 4
📋 SBOM per Build (T129)
CycloneDX / SPDX attached to every release artifact. Stored 7y. Queryable when the next log4j drops.
| Artifact | Release | Format | Components | Attestation |
|---|---|---|---|---|
| platform-api | v4.12.1 | CycloneDX 1.5 | 842 direct · 2,416 transitive | sigstore · attached |
| billing-web | v2.18.0 | CycloneDX 1.5 | 312 direct · 1,108 transitive | sigstore · attached |
| mobile-ios | v8.4.0 | SPDX 2.3 | 214 direct · 488 transitive | App-Store-Connect |
| mobile-android | v8.4.0 | SPDX 2.3 | 186 direct · 612 transitive | Play-console |
🤖 AI-BOM — Models · Weights · Datasets (T130)
Every model in production has owner + source + SHA-256 + eval-report. Pickle is blocked — safetensors only. Picklescan CI gate.
| Model | Source | Format | SHA-256 | Eval | Status |
|---|---|---|---|---|---|
| aria-triage-v3 | internal · fine-tune | safetensors | a1e0…c7 | ✓ passed | PROD |
| llama-3.1-70b-instruct | hf/meta-llama | safetensors | 33f7…21 | ✓ passed | PROD |
| all-MiniLM-L6-v2 | hf/sentence-transformers | safetensors | 8b32…e0 | ✓ passed | PROD |
| guard-pi-v2 | Lakera | safetensors (SaaS) | remote | ✓ passed | PROD |
| shady-huggingface-dl | hf/unknown | pickle (.bin) | — | — | BLOCKED · picklescan |
✍ Signed Commits + Signed Releases (T131)
Sigstore / cosign. Build artifacts signed. Verify at deploy. SLSA L3 provenance attestation on core pipelines.
| Repo / pipeline | Signing | SLSA | Last artifact | Verify at deploy |
|---|---|---|---|---|
| acme/platform | sigstore · keyless | L3 | v4.12.1 · today | ✓ required |
| acme/api | sigstore · keyless | L3 | v3.08.0 · yday | ✓ required |
| acme/billing | cosign · kms-key | L3 | v2.18.0 · today | ✓ required |
| acme/mobile | Apple · Google | n/a | v8.4.0 · 6h | ✓ store-enforced |
| acme/docs-site | gh-pages · unsigned | L1 | — | info-only |
🎫 CI/CD OIDC-Only (T132)
GitHub / GitLab → Cloud via OIDC. No long-lived cloud creds in runners. Remaining static creds audited with a kill-date.
| Pipeline | Target cloud | Auth method | Static creds | Kill-date |
|---|---|---|---|---|
| platform-ci | AWS prod | OIDC · sts:AssumeRoleWithWebIdentity | 0 | ✓ migrated |
| api-ci | GCP prod | Workload Identity Federation | 0 | ✓ migrated |
| billing-ci | AWS prod | OIDC | 0 | ✓ migrated |
| mobile-ci | App Store Connect | JWT (short-lived) | 0 | n/a |
| legacy-etl | AWS staging | static key | 1 | 30 Apr 2026 |
| vendor-sync | Azure storage | SAS token · 90d | 1 | 15 May 2026 |
📌 Dependency Pinning + Lockfile Verify (T133)
Fail-build on unpinned. Renovatebot for controlled upgrades. Typosquat-name scan on every install.
| Ecosystem | Repos | Pinned + lock-verified | Typosquat hits (30d) | Status |
|---|---|---|---|---|
| npm / pnpm | 142 | 100% | 2 (reactt, lodahs) · blocked | CLEAN |
| pip / poetry | 68 | 100% | 1 (beautifulsoup) · blocked | CLEAN |
| go modules | 42 | 100% | 0 | CLEAN |
| cargo | 14 | 100% | 0 | CLEAN |
| maven | 8 | 88% | 0 | 2 SNAPSHOT deps |
| container images | 212 | 100% by digest | 1 (nginxproxy) · blocked | CLEAN |