Under the hood, Kahu uses a specially crafted deep source inspector and static analysis engine that analyzes the source code of dependencies extracted from a manifest file to generate a comprehensive security report.
Dependency Extraction
It all starts with a manifest file, typically in a format like package.json or requirements.txt, to extract a list of dependencies along with their specific versions.
Source Code Analysis
The source code of each dependency is recursively retrieved by utilizing package managers or version control systems. It then performs static analysis on the source code to identify potential security issues.
API Usage Analysis
Each dependency gets analysed how it utilizes APIs and checks for any insecure or deprecated API usages that may introduce vulnerabilities.
CVE Detection
The versions of the dependencies are cross-referenced with known Common Vulnerabilities and Exposures (CVE) database, identifying any dependencies that have known security vulnerabilities.
Outdated Packages
The versions of the dependencies are compared with the latest available versions, detecting outdated packages that may lack crucial security patches.
Hardcoded Strings and Secrets
The source code is scanned for any instances of hardcoded secrets such as API keys, passwords, or sensitive configuration values. It flags such occurrences as potential security risks.
Malicious Pattern Detection
Various code analysis techniques are applied, including pattern matching, static taint analysis, behavior analysis, and AI-powered analysis, to identify any signs of malicious code or suspicious patterns within the dependencies.
Security Report
Based on the analysis results, a detailed security report that summarizes the findings, categorizing vulnerabilities, insecure API usages, CVEs, outdated packages, hardcoded secrets, and potential malicious code is generated. The report helps developers understand the security risks associated with their dependencies and take appropriate actions to mitigate them.