Security scanner reference

10 minute read

This reference provides comprehensive technical specifications, input parameters, and usage examples for all security scanning tools available in CloudBees Unify. Use this page to look up specific configuration details, input requirements, and implementation examples when configuring security scanners in your workflows or ASPM settings.

The following scanners can be configured in CloudBees Unify:

SAST scanners

Static Application Security Testing (SAST) scanners analyze source code without executing it to identify potential security vulnerabilities, coding errors, and adherence to security best practices.

SonarQube bundled

Use this scanner to analyze Git repositories with a headless SonarQube instance when you do not have a centralized SonarQube installation.

If you are already running a centralized SonarQube instance, use the SonarQube plugin version instead.

Inputs

Table 1. SonarQube bundled input details
Input name Data type Required? Description

sonar-exclusion

String

No

SonarQube Exclusion pattern to exclude matching files.

sonar-inclusion

String

No

SonarQube Inclusion pattern to include matching files.

sonar-project-key

String

No

SonarQube project key for the analysis.

language

String

No

The language of your Git repository code base. Refer to Supported languages.

working-directory

String

No

The directory to run the SonarQube analysis from.

coverage-file

String

No

Path to the code coverage file.

unit-test-command

String

No

Command to run unit tests for coverage generation.

Supported languages

SonarQube supports 25+ programming languages including Java, C#, JavaScript, TypeScript, Python, Go, PHP, C/C++, and many others.

Usage example

- name: Scan with SonarQube bundled uses: https://github.com/cloudbees-io/sonarqube-bundled-sast-scan-code@v1 with: sonar-exclusion: "**/*.test.js,**/node_modules/**" language: "LANGUAGE_JS" coverage-file: "coverage/lcov.info"

SonarQube plugin

Use this scanner to integrate with an existing centralized SonarQube installation for enterprise-wide code quality and security analysis.

Inputs

Table 2. SonarQube plugin input details
Input name Data type Required? Description

server-url

String

Yes

The SonarQube server URL.

username

String

Yes

The SonarQube username or token.

password

String

Yes

The SonarQube password or token.

sonar-project-key

String

No

SonarQube project key for the analysis.

language

String

No

The language of your Git repository code base.

working-directory

String

No

The directory to run the SonarQube analysis from.

Usage example

- name: Scan with SonarQube plugin uses: https://github.com/cloudbees-io/sonarqube-plugin@v1 with: server-url: ${{ vars.SONARQUBE_SERVER_URL }} username: ${{ secrets.SONARQUBE_USERNAME }} password: ${{ secrets.SONARQUBE_PASSWORD }} sonar-project-key: "my-project-key"

Snyk SAST

Use this scanner to analyze Git repositories with Snyk’s static application security testing engine for comprehensive multi-language security analysis.

Inputs

Table 3. Snyk SAST input details
Input name Data type Required? Description

orgname

String

Yes

The Snyk organization name.

token

String

Yes

The Snyk client secret.

language

String

No

The language of your Git repository code base. Refer to Supported languages.

Supported languages

Table 4. Snyk SAST supported languages
Supported language Input format

C

LANGUAGE_C

C++

LANGUAGE_C+

C#

LANGUAGE_C#

Go

LANGUAGE_GO

Java

LANGUAGE_JAVA

JavaScript

LANGUAGE_JS

PHP

LANGUAGE_PHP

Python

LANGUAGE_PYTHON

Ruby

LANGUAGE_RUBY

TypeScript

LANGUAGE_TYPESCRIPT

Usage example

- name: Scan with Snyk SAST uses: https://github.com/cloudbees-io/snyk-sast-scan-code@v1 with: orgname: "your_snyk_organization" token: ${{ secrets.SNYK_SECRET }} language: "LANGUAGE_JS"

Mend SAST

Use this scanner to analyze Git repositories with Mend’s static application security testing engine for security-focused code analysis with remediation guidance.

Inputs

Table 5. Mend SAST input details
Input name Data type Required? Description

server-url

String

Yes

The Mend server URL.

token

String

Yes

The Mend client secret.

language

String

No

The language of your Git repository code base. Refer to Supported languages.

Supported languages

Table 6. Mend SAST supported languages
Supported language Input format

Go

LANGUAGE_GO

Java

LANGUAGE_JAVA

JavaScript

LANGUAGE_JS

Python

LANGUAGE_Python

Usage example

- name: Scan with Mend SAST uses: https://github.com/cloudbees-io/mend-sast-scan-code@v1 with: server-url: ${{ vars.MEND_SERVER_URL }} token: ${{ secrets.MEND_SECRET }} language: "LANGUAGE_PYTHON"

Nexus IQ SAST

Use this scanner to analyze Git repositories with Sonatype Nexus IQ for enterprise policy-driven security analysis and governance.

Inputs

Table 7. Nexus IQ SAST input details
Input name Data type Required? Description

server-url

String

Yes

The Nexus IQ server URL.

username

String

Yes

The Nexus IQ username.

password

String

Yes

The Nexus IQ password.

application-id

String

Yes

The Nexus IQ application ID.

stage

String

No

The Nexus IQ stage for the scan (default: build).

Usage example

- name: Scan with Nexus IQ SAST uses: https://github.com/cloudbees-io/nexusiq-sast-scan-code@v1 with: server-url: ${{ vars.NEXUS_IQ_SERVER_URL }} username: ${{ secrets.NEXUS_IQ_USERNAME }} password: ${{ secrets.NEXUS_IQ_PASSWORD }} application-id: "my-application-id" stage: "build"

GitHub Advanced Security

Use this scanner to integrate with GitHub Advanced Security for native GitHub security scanning capabilities.

Scanning of private GitHub repositories is not supported.

Prerequisites

A personal access token with read-only permission is required to read security alerts from the public repository. Security alerts must be enabled for your repository.

To enable security alerts, refer to the following GitHub documentation: * Configuring Dependabot alerts * Enabling secret scanning for your repository * Configuring default setup for code scanning

To create a fine-grained personal access token, refer to the GitHub documentation.

CloudBees recommends configuring the fine-grained token with read-only access to Dependabot, Code scanning, and Secret scanning alerts, with read-only repository access.

Inputs

Table 8. GitHub Advanced Security input details
Input name Data type Required? Description

token

String

Yes

The GitHub client secret.

language

String

No

The language of your Git repository code base. Refer to Supported languages.

github-url

String

No

The GitHub URL of the repository to be scanned.

branch-name

String

No

The branch in your repository to be scanned.

Supported languages

Table 9. GitHub Advanced Security supported languages
Supported language Input format

Go

LANGUAGE_GO

Java

LANGUAGE_JAVA

Usage example

- name: Scan with GitHub Advanced Security uses: https://github.com/cloudbees-io/github-security-sast-scan-code@v1 with: token: ${{ secrets.GITHUB_SECRET }} language: "LANGUAGE_JAVA"

Gosec

Use this scanner for specialized Go security analysis to identify Go-specific security vulnerabilities and coding issues.

Inputs

Table 10. Gosec input details
Input name Data type Required? Description

exclude-dirs

String

No

Comma-separated list of directories to exclude from scanning.

exclude-rules

String

No

Comma-separated list of rule IDs to exclude from scanning.

Usage example

- name: Scan with Gosec uses: https://github.com/cloudbees-io/gosec-plugin@v1 with: exclude-dirs: "vendor,third_party" exclude-rules: "G101,G102"

FindSecBugs

Use this scanner for specialized Java security analysis to identify Java-specific security vulnerabilities and coding patterns.

Inputs

Table 11. FindSecBugs input details
Input name Data type Required? Description

exclude-filter

String

No

Path to XML file containing bug patterns to exclude.

include-filter

String

No

Path to XML file containing bug patterns to include.

Usage example

- name: Scan with FindSecBugs uses: https://github.com/cloudbees-io/findsecbugs-hybrid-plugin@v1 with: exclude-filter: "findsecbugs-exclude.xml"

njsscan

Use this scanner for specialized Node.js security analysis to identify Node.js-specific security vulnerabilities and patterns.

Inputs

Table 12. njsscan input details
Input name Data type Required? Description

exclude-paths

String

No

Comma-separated list of file paths to exclude from scanning.

exclude-rules

String

No

Comma-separated list of rule IDs to exclude from scanning.

Usage example

- name: Scan with njsscan uses: https://github.com/cloudbees-io/njsscan-hybrid-plugin@v1 with: exclude-paths: "node_modules,dist" exclude-rules: "node_crypto_weak_random"

Checkmarx SAST

Use this scanner for enterprise-grade static application security testing with comprehensive language support and advanced security analysis capabilities.

Inputs

Table 13. Checkmarx SAST input details
Input name Data type Required? Description

server-url

String

Yes

The Checkmarx server URL.

username

String

Yes

The Checkmarx username.

password

String

Yes

The Checkmarx password.

project-name

String

Yes

The Checkmarx project name for the scan.

team-name

String

No

The Checkmarx team name (default: CxServer).

Usage example

- name: Scan with Checkmarx SAST uses: https://github.com/cloudbees-io/checkmarx-sast-scan-code@v1 with: server-url: ${{ vars.CHECKMARX_SERVER_URL }} username: ${{ secrets.CHECKMARX_USERNAME }} password: ${{ secrets.CHECKMARX_PASSWORD }} project-name: "my-application" team-name: "Development Team"

Checkov

Use this scanner for Infrastructure as Code (IaC) security analysis to identify misconfigurations in Terraform, Kubernetes, CloudFormation, and Docker files.

Inputs

Table 14. Checkov input details
Input name Data type Required? Description

file-path

String

No

Path to the file or directory to scan.

framework

String

No

IaC framework to scan (terraform, kubernetes, cloudformation, etc.).

skip-check

String

No

Comma-separated list of check IDs to skip.

Usage example

- name: Scan with Checkov uses: https://github.com/cloudbees-io/checkov-hybrid-plugin@v1 with: file-path: "infrastructure/" framework: "terraform" skip-check: "CKV_AWS_20,CKV_AWS_57"

DAST scanners

Dynamic Application Security Testing (DAST) scanners test running web applications from an external perspective to identify security vulnerabilities in deployed environments.

StackHawk

Use this scanner for modern DAST with developer-focused integration and comprehensive web application security testing capabilities.

Inputs

Table 15. StackHawk input details
Input name Data type Required? Description

api-key

String

Yes

The StackHawk API key.

app-id

String

Yes

The StackHawk application ID.

env

String

No

The environment name for the scan.

config-file

String

No

Path to the StackHawk configuration file.

Usage example

- name: Scan with StackHawk uses: https://github.com/cloudbees-io/stackhawk-dast-scan-environment@v1 with: api-key: ${{ secrets.STACKHAWK_API_KEY }} app-id: "your-app-id" env: "production"

ZAP (OWASP)

Use this scanner for open-source web application security testing with the OWASP Zed Attack Proxy.

Inputs

Table 16. ZAP input details
Input name Data type Required? Description

target-url

String

Yes

The target URL to scan.

scan-type

String

No

Type of scan to perform (baseline, full).

context-file

String

No

Path to ZAP context configuration file.

exclude-rules

String

No

Comma-separated list of rule IDs to exclude.

Usage example

- name: Scan with ZAP uses: https://github.com/cloudbees-io/zap-dast-scan-environment@v1 with: target-url: "https://your-application.com" scan-type: "baseline"

Container scanners

Container security scanners analyze container images and their components to identify security vulnerabilities, misconfigurations, and compliance issues.

Anchore

Use this scanner for comprehensive container image security analysis with detailed vulnerability assessment and policy enforcement.

Inputs

Table 17. Anchore input details
Input name Data type Required? Description

image-location

String

Yes

The container image location to scan.

username

String

No

The Anchore username for authentication.

password

String

No

The Anchore password for authentication.

Usage example

- name: Scan with Anchore uses: https://github.com/cloudbees-io/anchore-scan-container@v1 with: image-location: "your-registry/your-image:latest"

Aqua Security

Use this scanner for enterprise container security with advanced threat detection and compliance monitoring capabilities.

Inputs

Table 18. Aqua Security input details
Input name Data type Required? Description

image-location

String

Yes

The container image location to scan.

aqua-key

String

Yes

The Aqua Security API key.

aqua-secret

String

Yes

The Aqua Security API secret.

registry

String

No

The container registry URL.

Usage example

- name: Scan with Aqua Security uses: https://github.com/cloudbees-io/aquasec-scan-container@v1 with: image-location: "your-registry/your-image:latest" aqua-key: ${{ secrets.AQUA_KEY }} aqua-secret: ${{ secrets.AQUA_SECRET }}

JFrog Xray

Use this scanner for artifact-focused container security analysis integrated with JFrog’s DevSecOps platform.

Inputs

Table 19. JFrog Xray input details
Input name Data type Required? Description

image-location

String

Yes

The container image location to scan.

server-url

String

Yes

The JFrog Xray server URL.

username

String

Yes

The JFrog username.

password

String

Yes

The JFrog password or API token.

Usage example

- name: Scan with JFrog Xray uses: https://github.com/cloudbees-io/jfrog-xray-scan-container@v1 with: image-location: "your-registry/your-image:latest" server-url: ${{ vars.JFROG_SERVER_URL }} username: ${{ secrets.JFROG_USERNAME }} password: ${{ secrets.JFROG_PASSWORD }}

Snyk Container

Use this scanner for developer-friendly container security analysis with detailed vulnerability information and remediation guidance.

Inputs

Table 20. Snyk Container input details
Input name Data type Required? Description

orgname

String

Yes

The Snyk Container username.

token

String

Yes

The Snyk Container client secret.

image-location

String

Yes

The container image location to scan.

Usage example

- name: Scan with Snyk Container uses: https://github.com/cloudbees-io/snyk-scan-container@v1 with: orgname: "your_snyk_organization" token: ${{ secrets.SNYK_SECRET }} image-location: "your-registry/your-image:latest"

Nexus IQ Container

Use this scanner for enterprise container security analysis with policy enforcement and governance capabilities.

Inputs

Table 21. Nexus IQ Container input details
Input name Data type Required? Description

image-location

String

Yes

The container image location to scan.

server-url

String

Yes

The Nexus IQ server URL.

username

String

Yes

The Nexus IQ username.

password

String

Yes

The Nexus IQ password.

application-id

String

Yes

The Nexus IQ application ID.

Usage example

- name: Scan with Nexus IQ Container uses: https://github.com/cloudbees-io/nexusiq-scan-container@v1 with: image-location: "your-registry/your-image:latest" server-url: ${{ vars.NEXUS_IQ_SERVER_URL }} username: ${{ secrets.NEXUS_IQ_USERNAME }} password: ${{ secrets.NEXUS_IQ_PASSWORD }} application-id: "my-application-id"

Trivy

Use this scanner for fast, comprehensive container image scanning with support for vulnerabilities, secrets, and misconfigurations.

Inputs

Table 22. Trivy input details
Input name Data type Required? Description

image-location

String

Yes

The container image location to scan.

scan-type

String

No

Type of scan to perform (vuln, secret, config).

severity

String

No

Comma-separated list of severities to include (LOW,MEDIUM,HIGH,CRITICAL).

Usage example

- name: Scan with Trivy uses: https://github.com/cloudbees-io/trivy-plugin@v1 with: image-location: "your-registry/your-image:latest" scan-type: "vuln,secret" severity: "HIGH,CRITICAL"

SCA scanners

Software Composition Analysis (SCA) scanners analyze project dependencies to identify known security vulnerabilities, license compliance issues, and outdated components.

Black Duck

Use this scanner for comprehensive open source security and license compliance analysis with extensive vulnerability database coverage.

Inputs

Table 23. Black Duck input details
Input name Data type Required? Description

server-url

String

Yes

The Black Duck server URL.

username

String

Yes

The Black Duck username.

password

String

Yes

The Black Duck password.

project-name

String

Yes

The Black Duck project name.

project-version

String

No

The Black Duck project version.

Usage example

- name: Scan with Black Duck uses: https://github.com/cloudbees-io/blackduck-sca-scan-dependency@v1 with: server-url: ${{ vars.BLACKDUCK_SERVER_URL }} username: ${{ secrets.BLACKDUCK_USERNAME }} password: ${{ secrets.BLACKDUCK_PASSWORD }} project-name: "my-application" project-version: "1.0.0"

Mend SCA

Use this scanner for software composition analysis with focus on open source security, license compliance, and dependency management.

Inputs

Table 24. Mend SCA input details
Input name Data type Required? Description

server-url

String

Yes

The Mend server URL.

token

String

Yes

The Mend client secret.

product-name

String

Yes

The Mend product name.

project-name

String

No

The Mend project name.

Usage example

- name: Scan with Mend SCA uses: https://github.com/cloudbees-io/mend-sca-scan-dependency@v1 with: server-url: ${{ vars.MEND_SERVER_URL }} token: ${{ secrets.MEND_SECRET }} product-name: "my-product" project-name: "my-project"

Snyk SCA

Use this scanner for developer-friendly dependency analysis with detailed vulnerability information and automated fix suggestions.

Inputs

Table 25. Snyk SCA input details
Input name Data type Required? Description

orgname

String

Yes

The Snyk organization name.

token

String

Yes

The Snyk client secret.

language

String

No

The language of your project dependencies.

Usage example

- name: Scan with Snyk SCA uses: https://github.com/cloudbees-io/snyk-sca-scan-dependency@v1 with: orgname: "your_snyk_organization" token: ${{ secrets.SNYK_SECRET }} language: "javascript"

Secret scanners

Secret scanning tools analyze code repositories, containers, and other artifacts to identify accidentally committed secrets, API keys, passwords, and other sensitive information.

Gitleaks

Use this scanner for fast, comprehensive secret detection in Git repositories with support for custom patterns and rules.

Inputs

Table 26. Gitleaks input details
Input name Data type Required? Description

config-file

String

No

Path to custom Gitleaks configuration file.

exclude-paths

String

No

Comma-separated list of file paths to exclude from scanning.

log-level

String

No

Logging level (trace, debug, info, warn, error, fatal).

Usage example

- name: Scan with Gitleaks uses: https://github.com/cloudbees-io/gitleaks-plugin@v1 with: exclude-paths: "node_modules,dist" log-level: "info"

TruffleHog Code

Use this scanner for comprehensive secret detection in source code with advanced entropy analysis and custom pattern matching.

Inputs

Table 27. TruffleHog Code input details
Input name Data type Required? Description

base-ref

String

No

Git reference to compare against for diff scanning.

max-depth

String

No

Maximum depth for commit history scanning.

exclude-paths

String

No

Comma-separated list of file paths to exclude from scanning.

Usage example

- name: Scan with TruffleHog Code uses: https://github.com/cloudbees-io/trufflehog-secret-scan-code@v1 with: base-ref: "main" max-depth: "100" exclude-paths: "*.log,*.tmp"

TruffleHog Container

Use this scanner for secret detection in container images, including environment variables, file systems, and embedded credentials.

Inputs

Table 28. TruffleHog Container input details
Input name Data type Required? Description

image-location

String

Yes

The container image location to scan.

exclude-paths

String

No

Comma-separated list of file paths to exclude from scanning.

log-level

String

No

Logging level (trace, debug, info, warn, error, fatal).

Usage example

- name: Scan with TruffleHog Container uses: https://github.com/cloudbees-io/trufflehog-secret-scan-container@v1 with: image-location: "your-registry/your-image:latest" exclude-paths: "/tmp,/var/log" log-level: "info"

TruffleHog S3

Use this scanner for secret detection in Amazon S3 buckets, including files, metadata, and access logs.

Inputs

Table 29. TruffleHog S3 input details
Input name Data type Required? Description

bucket-name

String

Yes

The S3 bucket name to scan.

aws-access-key-id

String

Yes

The AWS access key ID for authentication.

aws-secret-access-key

String

Yes

The AWS secret access key for authentication.

region

String

No

The AWS region (default: us-east-1).

Usage example

- name: Scan with TruffleHog S3 uses: https://github.com/cloudbees-io/trufflehog-secret-scan-s3@v1 with: bucket-name: "my-s3-bucket" aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} region: "us-west-2"

IaC scanners

Infrastructure as Code (IaC) scanners analyze infrastructure configuration files to identify security misconfigurations, compliance violations, and best practice deviations.

Snyk IaC

Use this scanner for comprehensive Infrastructure as Code security analysis with support for Terraform, Kubernetes, CloudFormation, and other IaC frameworks.

Inputs

Table 30. Snyk IaC input details
Input name Data type Required? Description

orgname

String

Yes

The Snyk organization name.

token

String

Yes

The Snyk client secret.

file-path

String

No

Path to the IaC file or directory to scan.

severity-threshold

String

No

Minimum severity level to report (low, medium, high, critical).

Usage example

- name: Scan with Snyk IaC uses: https://github.com/cloudbees-io/snyk-iac-scan@v1 with: orgname: "your_snyk_organization" token: ${{ secrets.SNYK_SECRET }} file-path: "infrastructure/" severity-threshold: "high"