- It all starts with a manifest file, typically in a format like package.json or requirements.txt, to extract a list of dependencies along with their specific versions. Source Code Analysis
- The source code of each dependency is recursively retrieved by utilizing package managers or version control systems. It then performs static analysis on the source code to identify potential security issues. API Usage Analysis
- Each dependency gets analysed how it utilizes APIs and checks for any insecure or deprecated API usages that may introduce vulnerabilities. CVE Detection
- The versions of the dependencies are cross-referenced with known Common Vulnerabilities and Exposures (CVE) database, identifying any dependencies that have known security vulnerabilities. Outdated Packages
- The versions of the dependencies are compared with the latest available versions, detecting outdated packages that may lack crucial security patches. Hardcoded Strings and Secrets
- The source code is scanned for any instances of hardcoded secrets such as API keys, passwords, or sensitive configuration values. It flags such occurrences as potential security risks. Malicious Pattern Detection
- Various code analysis techniques are applied, including pattern matching, static taint analysis, behavior analysis, and AI-powered analysis, to identify any signs of malicious code or suspicious patterns within the dependencies. Security Report
- Based on the analysis results, a detailed security report that summarizes the findings, categorizing vulnerabilities, insecure API usages, CVEs, outdated packages, hardcoded secrets, and potential malicious code is generated. The report helps developers understand the security risks associated with their dependencies and take appropriate actions to mitigate them.