CloudBees platform integrates third-party security tools, such as SAST or DAST scanners, for use in implicit security assessments. These tools are activated and reviewed from the Marketplace.
The Marketplace can be accessed at organization level, or at component level. Enable or disable tools at organization level, and review the status of each tool at component level.
To access the Marketplace:
-
Select an organization. Optionally, select a component.
-
Select
.

-
Select to filter tools by Category, Tags, or Tooling, or clear all filters.
-
Search for a security tool.
-
Select to toggle implicit security assessment. Disabling implicit security assessment turns off automatic security analysis for all the components associated with the selected organization and its sub-organizations.
-
Select to enable or disable security tools. This can only be done at organization level.
Only users with the Admin user role in the organization can enable or disable security tools. |
Organization hierarchy, and override records
Enabling or disabling a security tool, or implicit security assessment, is done at the organization level. Changes made to the root organization affect all of its child organizations. Below root-organization level, changes made to an organization create an override record, such that changes to its parent won’t affect that organization.
For example, in the image below, enabling a security tool for the Root organization would enable it for all three child organizations. If you then disabled it for Child organization 1, it would also disable it for Child organization 3.
Activating a different security tool for Child organization 1 would activate it for Child organization 3, unless that tool had already been deactivated for Child organization 3, which would have created an override record.

Disabling a security tool for the root organization disables it for all child organizations, irrespective of override records. |
Available security tools
The following security tools can currently be configured on the CloudBees platform:
Code security scanners
Security tool | Description | Supported languages | Explicit or implicit | Scan type | Installation type |
---|---|---|---|---|---|
Black Duck SCA |
Scans open-source dependencies for known vulnerabilities and license risks. |
Explicit |
Code |
Both single and multi tenant |
|
Checkov |
Scans cloud infrastructure configurations, including Terraform and Cloud Formation scripts. |
Implicit |
Code |
Both single and multi tenant |
|
Coverity on Polaris |
Enterprise-grade static analysis for code security and quality. |
Explicit |
Code |
Both single and multi tenant |
|
Gitleaks |
Scans Git repositories for sensitive content, such as credentials. |
N/A (language agnostic) |
Implicit |
Code |
Both single and multi tenant |
Gosec |
An open source Golang security scanner. |
Implicit |
Code |
Both single and multi tenant |
|
Njsscan |
An open source Node.js security scanner. |
Implicit |
Code |
Both single and multi tenant |
|
SCC Scanner |
An application software language analyzer. SCC Scanner is enabled on the CloudBees platform by default. |
Implicit |
Code |
Single-tenant |
|
SonarQube |
Detects bugs, code smells, and security vulnerabilities across multiple languages. |
Explicit |
Code |
Both single and multi tenant |
Binary security scanners
Security tool | Description | Supported languages | Explicit or implicit | Scan type | Installation type |
---|---|---|---|---|---|
FindSecBugs |
An open source Java security scanner. Used in CloudBees to scan binary |
Implicit |
Binary |
Both single and multi tenant |
|
Grype |
A vulnerability scanner for container images, SBOMs, and file systems. |
Implicit |
Binary |
Both single and multi tenant |
|
Syft SBOM |
Generates software bills of materials (SBOMs) from containers and binaries. |
Implicit |
Binary |
Both single and multi tenant |
|
Trivy |
A Docker image scanner that supports OS packages and language-specific dependencies. |
Implicit |
Binary |
Both single and multi tenant |