Sentinel Source (SAST): Static Application Security Testing

Black Duck offers three levels of WhiteHat SAST testing to cover all your security needs.

Sentinel Source Standard Edition (SE) is a full-service solution designed to incorporate security into your software development life cycle (SDLC). It enables you to assess your code as it is being developed and assists developers in identifying and remediating vulnerabilities before the code is pushed to production. As developers write code, containerize, and upload it to a repository, Sentinel Source analyzes the code and identifies potential security vulnerabilities. Sentinel Source operates via our Sentinel Source engine housed on an installed VM image completely within your network. Any code snippets, including YAML configuration files, containing vulnerabilities identified by our automated Sentinel Source scanner are then sent to Black Duck Threat Research Center (TRC) engineers to verify. Once verified, vulnerabilities are reported back to you either through the Sentinel Source user interface or directly into your bug-tracking system by integration with the Sentinel Source API.

Sentinel Source Essentials Edition (EE) provides raw SAST findings as soon as a scan is completed, without any TRC services such as scan review, vulnerability verification to weed out false positives, Directed Remediation, or Ask-a-Question. The EE service provides a lower cost SAST service for non-mission-critical apps, assuming that you have the knowledge to self-verify any findings.

SCA - Essentials (SCA) rapidly and accurately identifies the third-party and open source components that have been integrated into your source applications. For each of these components, SCA identifies any open security common vulnerabilities and exposures (CVEs), licenses, and out-of-date library versions and age. SCA also creates a list of raw Unpatched Library findings, if any, for your source application as soon as a scan is complete. Applications onboarded using this service level will be limited to a maximum of 3M lines of code.

This lower cost development tool does not include static analysis (SAST) or the following Black Duck TRC services: Scan Review, Vulnerability Verification, Ask-a-Question, and Directed Remediation. SCA is suitable for non-mission-critical apps and for customers who have the competence to self-verify these raw findings.

For more details, please see Sentinel Source - Service Detail.