This reference provides comprehensive technical specifications, input parameters, and usage examples for all security scanning tools available in CloudBees Unify. Use this page to look up specific configuration details, input requirements, and implementation examples when configuring security scanners in your workflows or ASPM settings.
The following scanners can be configured in CloudBees Unify:
SAST scanners
Static Application Security Testing (SAST) scanners analyze source code without executing it to identify potential security vulnerabilities, coding errors, and adherence to security best practices.
SonarQube bundled
Use this scanner to analyze Git repositories with a headless SonarQube instance when you do not have a centralized SonarQube installation.
| If you are already running a centralized SonarQube instance, use the SonarQube plugin version instead. |
Inputs
| Input name | Data type | Required? | Description |
|---|---|---|---|
|
String |
No |
SonarQube Exclusion pattern to exclude matching files. |
|
String |
No |
SonarQube Inclusion pattern to include matching files. |
|
String |
No |
SonarQube project key for the analysis. |
|
String |
No |
The language of your Git repository code base. Refer to Supported languages. |
|
String |
No |
The directory to run the SonarQube analysis from. |
|
String |
No |
Path to the code coverage file. |
|
String |
No |
Command to run unit tests for coverage generation. |
SonarQube plugin
Use this scanner to integrate with an existing centralized SonarQube installation for enterprise-wide code quality and security analysis.
Inputs
| Input name | Data type | Required? | Description |
|---|---|---|---|
|
String |
Yes |
The SonarQube server URL. |
|
String |
Yes |
The SonarQube username or token. |
|
String |
Yes |
The SonarQube password or token. |
|
String |
No |
SonarQube project key for the analysis. |
|
String |
No |
The language of your Git repository code base. |
|
String |
No |
The directory to run the SonarQube analysis from. |
Snyk SAST
Use this scanner to analyze Git repositories with Snyk’s static application security testing engine for comprehensive multi-language security analysis.
Inputs
| Input name | Data type | Required? | Description |
|---|---|---|---|
|
String |
Yes |
The Snyk organization name. |
|
String |
Yes |
The Snyk client secret. |
|
String |
No |
The language of your Git repository code base. Refer to Supported languages. |
Mend SAST
Use this scanner to analyze Git repositories with Mend’s static application security testing engine for security-focused code analysis with remediation guidance.
Inputs
| Input name | Data type | Required? | Description |
|---|---|---|---|
|
String |
Yes |
The Mend server URL. |
|
String |
Yes |
The Mend client secret. |
|
String |
No |
The language of your Git repository code base. Refer to Supported languages. |
Nexus IQ SAST
Use this scanner to analyze Git repositories with Sonatype Nexus IQ for enterprise policy-driven security analysis and governance.
Inputs
| Input name | Data type | Required? | Description |
|---|---|---|---|
|
String |
Yes |
The Nexus IQ server URL. |
|
String |
Yes |
The Nexus IQ username. |
|
String |
Yes |
The Nexus IQ password. |
|
String |
Yes |
The Nexus IQ application ID. |
|
String |
No |
The Nexus IQ stage for the scan (default: build). |
GitHub Advanced Security
Use this scanner to integrate with GitHub Advanced Security for native GitHub security scanning capabilities.
| Scanning of private GitHub repositories is not supported. |
Prerequisites
A personal access token with read-only permission is required to read security alerts from the public repository. Security alerts must be enabled for your repository.
To enable security alerts, refer to the following GitHub documentation: * Configuring Dependabot alerts * Enabling secret scanning for your repository * Configuring default setup for code scanning
To create a fine-grained personal access token, refer to the GitHub documentation.
| CloudBees recommends configuring the fine-grained token with read-only access to Dependabot, Code scanning, and Secret scanning alerts, with read-only repository access. |
Inputs
| Input name | Data type | Required? | Description |
|---|---|---|---|
|
String |
Yes |
The GitHub client secret. |
|
String |
No |
The language of your Git repository code base. Refer to Supported languages. |
|
String |
No |
The GitHub URL of the repository to be scanned. |
|
String |
No |
The branch in your repository to be scanned. |
Gosec
Use this scanner for specialized Go security analysis to identify Go-specific security vulnerabilities and coding issues.
FindSecBugs
Use this scanner for specialized Java security analysis to identify Java-specific security vulnerabilities and coding patterns.
njsscan
Use this scanner for specialized Node.js security analysis to identify Node.js-specific security vulnerabilities and patterns.
Checkmarx SAST
Use this scanner for enterprise-grade static application security testing with comprehensive language support and advanced security analysis capabilities.
Inputs
| Input name | Data type | Required? | Description |
|---|---|---|---|
|
String |
Yes |
The Checkmarx server URL. |
|
String |
Yes |
The Checkmarx username. |
|
String |
Yes |
The Checkmarx password. |
|
String |
Yes |
The Checkmarx project name for the scan. |
|
String |
No |
The Checkmarx team name (default: CxServer). |
Usage example
- name: Scan with Checkmarx SAST uses: https://github.com/cloudbees-io/checkmarx-sast-scan-code@v1 with: server-url: ${{ vars.CHECKMARX_SERVER_URL }} username: ${{ secrets.CHECKMARX_USERNAME }} password: ${{ secrets.CHECKMARX_PASSWORD }} project-name: "my-application" team-name: "Development Team"
Checkov
Use this scanner for Infrastructure as Code (IaC) security analysis to identify misconfigurations in Terraform, Kubernetes, CloudFormation, and Docker files.
DAST scanners
Dynamic Application Security Testing (DAST) scanners test running web applications from an external perspective to identify security vulnerabilities in deployed environments.
StackHawk
Use this scanner for modern DAST with developer-focused integration and comprehensive web application security testing capabilities.
ZAP (OWASP)
Use this scanner for open-source web application security testing with the OWASP Zed Attack Proxy.
Inputs
| Input name | Data type | Required? | Description |
|---|---|---|---|
|
String |
Yes |
The target URL to scan. |
|
String |
No |
Type of scan to perform (baseline, full). |
|
String |
No |
Path to ZAP context configuration file. |
|
String |
No |
Comma-separated list of rule IDs to exclude. |
Container scanners
Container security scanners analyze container images and their components to identify security vulnerabilities, misconfigurations, and compliance issues.
Anchore
Use this scanner for comprehensive container image security analysis with detailed vulnerability assessment and policy enforcement.
Aqua Security
Use this scanner for enterprise container security with advanced threat detection and compliance monitoring capabilities.
JFrog Xray
Use this scanner for artifact-focused container security analysis integrated with JFrog’s DevSecOps platform.
Snyk Container
Use this scanner for developer-friendly container security analysis with detailed vulnerability information and remediation guidance.
Nexus IQ Container
Use this scanner for enterprise container security analysis with policy enforcement and governance capabilities.
Inputs
| Input name | Data type | Required? | Description |
|---|---|---|---|
|
String |
Yes |
The container image location to scan. |
|
String |
Yes |
The Nexus IQ server URL. |
|
String |
Yes |
The Nexus IQ username. |
|
String |
Yes |
The Nexus IQ password. |
|
String |
Yes |
The Nexus IQ application ID. |
Usage example
- name: Scan with Nexus IQ Container uses: https://github.com/cloudbees-io/nexusiq-scan-container@v1 with: image-location: "your-registry/your-image:latest" server-url: ${{ vars.NEXUS_IQ_SERVER_URL }} username: ${{ secrets.NEXUS_IQ_USERNAME }} password: ${{ secrets.NEXUS_IQ_PASSWORD }} application-id: "my-application-id"
Trivy
Use this scanner for fast, comprehensive container image scanning with support for vulnerabilities, secrets, and misconfigurations.
Inputs
| Input name | Data type | Required? | Description |
|---|---|---|---|
|
String |
Yes |
The container image location to scan. |
|
String |
No |
Type of scan to perform (vuln, secret, config). |
|
String |
No |
Comma-separated list of severities to include (LOW,MEDIUM,HIGH,CRITICAL). |
SCA scanners
Software Composition Analysis (SCA) scanners analyze project dependencies to identify known security vulnerabilities, license compliance issues, and outdated components.
Black Duck
Use this scanner for comprehensive open source security and license compliance analysis with extensive vulnerability database coverage.
Inputs
| Input name | Data type | Required? | Description |
|---|---|---|---|
|
String |
Yes |
The Black Duck server URL. |
|
String |
Yes |
The Black Duck username. |
|
String |
Yes |
The Black Duck password. |
|
String |
Yes |
The Black Duck project name. |
|
String |
No |
The Black Duck project version. |
Usage example
- name: Scan with Black Duck uses: https://github.com/cloudbees-io/blackduck-sca-scan-dependency@v1 with: server-url: ${{ vars.BLACKDUCK_SERVER_URL }} username: ${{ secrets.BLACKDUCK_USERNAME }} password: ${{ secrets.BLACKDUCK_PASSWORD }} project-name: "my-application" project-version: "1.0.0"
Mend SCA
Use this scanner for software composition analysis with focus on open source security, license compliance, and dependency management.
Snyk SCA
Use this scanner for developer-friendly dependency analysis with detailed vulnerability information and automated fix suggestions.
Secret scanners
Secret scanning tools analyze code repositories, containers, and other artifacts to identify accidentally committed secrets, API keys, passwords, and other sensitive information.
Gitleaks
Use this scanner for fast, comprehensive secret detection in Git repositories with support for custom patterns and rules.
Inputs
| Input name | Data type | Required? | Description |
|---|---|---|---|
|
String |
No |
Path to custom Gitleaks configuration file. |
|
String |
No |
Comma-separated list of file paths to exclude from scanning. |
|
String |
No |
Logging level (trace, debug, info, warn, error, fatal). |
TruffleHog Code
Use this scanner for comprehensive secret detection in source code with advanced entropy analysis and custom pattern matching.
Inputs
| Input name | Data type | Required? | Description |
|---|---|---|---|
|
String |
No |
Git reference to compare against for diff scanning. |
|
String |
No |
Maximum depth for commit history scanning. |
|
String |
No |
Comma-separated list of file paths to exclude from scanning. |
TruffleHog Container
Use this scanner for secret detection in container images, including environment variables, file systems, and embedded credentials.
Inputs
| Input name | Data type | Required? | Description |
|---|---|---|---|
|
String |
Yes |
The container image location to scan. |
|
String |
No |
Comma-separated list of file paths to exclude from scanning. |
|
String |
No |
Logging level (trace, debug, info, warn, error, fatal). |
TruffleHog S3
Use this scanner for secret detection in Amazon S3 buckets, including files, metadata, and access logs.
Inputs
| Input name | Data type | Required? | Description |
|---|---|---|---|
|
String |
Yes |
The S3 bucket name to scan. |
|
String |
Yes |
The AWS access key ID for authentication. |
|
String |
Yes |
The AWS secret access key for authentication. |
|
String |
No |
The AWS region (default: us-east-1). |
IaC scanners
Infrastructure as Code (IaC) scanners analyze infrastructure configuration files to identify security misconfigurations, compliance violations, and best practice deviations.
Snyk IaC
Use this scanner for comprehensive Infrastructure as Code security analysis with support for Terraform, Kubernetes, CloudFormation, and other IaC frameworks.
Inputs
| Input name | Data type | Required? | Description |
|---|---|---|---|
|
String |
Yes |
The Snyk organization name. |
|
String |
Yes |
The Snyk client secret. |
|
String |
No |
Path to the IaC file or directory to scan. |
|
String |
No |
Minimum severity level to report (low, medium, high, critical). |