SmartRocket Scanner is an open-source compositions asset security and compliance analysis management tool. It is rooted in security philosophies such as shift-left security, DevSecOps, and real-time monitoring. Throughout the software lifecycle, it continuously automates identification of open-source software and dependent compositions, compositions inventory management, security risk analysis and vulnerability remediation, license risk analysis, continuous integration management, user library management, and more. It seamlessly integrates with third-party development tools to enable automated security analysis, policy implementation, continuous integration and real-time monitoring, promptly responding to new vulnerabilities with targeted notifications. The tool is suitable for continuous management and monitoring platforms like agile development, pipelines, and shift-left security, helping enterprises solve issues arising from poor maintenance and management of open-source software through its product solutions."
Performs thorough line analysis through multi-dimensional static code scanning, dependency package scanning, code provenance scanning.
Accurately analyzes and pinpoint vulnerabilities, offering tiered solutions or mitigation measures, providing detailed information for risk assessment.
Provides comprehensive open-source license recognition, risk analysis, traceability analysis, and compatibility analysis.
The system's knowledge base is updated daily to promptly discover new vulnerabilities affecting compositions and projects, with directed push notifications and responses.
Provides dynamic solutions, recommending upgrades to the secure version closest to the user's current version to ensure compatibility. If multiple vulnerabilities belong to the same compositions, a unified version will be recommended for repair.
Supports enterprises in independently constructing vulnerability databases and open-source software knowledge bases. The tool can promptly detect whether a project has introduced a specific dependency or vulnerability. Also, it provides an open API that supports flexible customization.
Users can set rules based on vulnerability risk levels, licenses, and compositions white/blacklists, automatically preventing risky compositions from entering private repositories to avoid problematic compositions from entering the software development lifecycle."
Supports discovering code issues during the coding process and locating them down to the line, quickly providing repair suggestions. It performs automated policy execution based on user-defined rules during the build phase, timely blocking to achieve shift-left security.
Provides management teams with a visual display of the entire enterprise's open-source assets, accurately grasping used open-source compositions, open-source vulnerabilities, vulnerability change trends, and more. This aids in intuitive statistics collection and helps businesses manage their security assets.
Monitors open-source software vulnerability intelligence in real time, linking related projects of the user to ensure timely responses. Provides configurations for email and DingTalk transaction tracking tools for targeted reminders and precise issue information push notifications.