SOOS is an independent software security company, located in Winooski, VT USA, building security software for your team. SOOS, Software security, simplified.
Use SOOS to scan your software for vulnerabilities and open source license issues with SOOS Core SCA. Generate and ingest SBOMs. Export reports to industry standards. Govern your open source dependencies. Run the SOOS DAST vulnerability scanner against your web apps or APIs. Scan your Docker containers for vulnerabilities. Check your source code for issues with SAST Analysis.
Demo SOOS or Register for a Free Trial.
If you maintain an Open Source project, sign up for the Free as in Beer SOOS Community Edition.
The soosio/sast docker image supports a number of various SAST scans. Below are a few examples of usage.
Before usage, be sure your image is up to date by running:
docker pull soosio/sast:latestIf you have Sarif 2.1 files, you can point soosio/sast to the directory containing the files via a Docker mount:
docker run -u soos -v c:/my-sarif-folder:/home/soos/wrk/:rw -it --rm soosio/sast --sarifGenerator file --apiKey xxxx --clientId xxxx --projectName xxxxTo run Gitleaks secret detection:
docker run -u soos -v c:/my-source-code:/home/soos/wrk/:rw -it --rm soosio/sast --sarifGenerator gitleaks --apiKey xxxx --clientId xxxx --projectName xxxxTo customize the Gitleaks execution, you can pass in --otherOptions, e.g.
docker run -u soos -v c:/my-source-code:/home/soos/wrk/:rw -it --rm soosio/sast --sarifGenerator gitleaks --otherOptions "--max-archive-depth 1 --max-target-megabytes 10" --apiKey xxxx --clientId xxxx --projectName xxxxTo run Opengrep against your source code:
docker run -u soos -v c:/my-source-code:/home/soos/wrk/:rw -it --rm soosio/sast --sarifGenerator opengrep --apiKey xxxx --clientId xxxx --projectName xxxxTo customize the Opengrep execute, you can pass in --otherOptions, e.g.
docker run -u soos -v c:/my-source-code:/home/soos/wrk/:rw -it --rm soosio/sast --sarifGenerator opengrep --otherOptions "--no-git-ignore -f /home/soos/opengrep-rules/typescript -f /home/soos/opengrep-rules/generic" --apiKey xxxx --clientId xxxx --projectName xxxxThe rules available are from the opengrep/rules repository and were installed at the time of soosio/sast image build. They are all installed to /home/soos/opengrep-rules and can be used via a customized
command line via --otherOptions as noted above.
To run Semgrep against your source code without logging in:
docker run -u soos -v c:/my-source-code:/home/soos/wrk/:rw -it --rm soosio/sast --sarifGenerator semgrep --apiKey xxxx --clientId xxxx --projectName xxxxTo customize the Semgrep scan execution, you can pass in --otherOptions, e.g.
docker run -u soos -v c:/my-source-code:/home/soos/wrk/:rw -it --rm soosio/sast --sarifGenerator semgrep --otherOptions "--no-git-ignore --metrics=off --config p/typescript" --apiKey xxxx --clientId xxxx --projectName xxxxTo login to Semgrep and use your auto config via semgrep ci add an environment variable with your SEMGREP_APP_TOKEN, e.g.
docker run -u soos -v c:/my-git-based-source-code:/home/soos/wrk/:rw -e SEMGREP_APP_TOKEN=tttt -it --rm soosio/sast --sarifGenerator semgrep --apiKey xxxx --clientId xxxx --projectName xxxxThis will run the --code scan against your checked out repository noted by the mount point.
If you are using SonarQube, you can export your issues from your instance:
docker run -u soos -it --rm soosio/sast --sarifGenerator sonarqube --otherOptions "--url zzzz --token zzzz -k myProjectKey" --apiKey xxxx --clientId xxxx --projectName xxxxThe --otherOptions parameter allows you to pass in available options for the Sonar findings export tool
If SonarQube is running on the same host as soosio/sast and the URL is not DNS accessible, you will need to use the Docker host URL, e.g. --otherOptions "-url http://host.docker.internal:9000 ..."
| Argument | Default | Description |
|---|---|---|
--apiKey |
SOOS API Key - get yours from SOOS Integration. | |
--branchName |
The name of the branch from the SCM System | |
--branchURI |
The URI to the branch from the SCM System | |
--buildURI |
URI to CI build info | |
--buildVersion |
Version of application build artifacts | |
--clientId |
SOOS Client ID - get yours from SOOS Integration. | |
--commitHash |
The commit hash value from the SCM System | |
--exportFormat |
Write the scan result to this file format. Options: Sarif, SoosIssues | |
--exportFileType |
Write the scan result to this file type (when used with exportFormat). Options: Csv, Html, Json | |
--logLevel |
Minimum level to show logs: DEBUG INFO, WARN, FAIL, ERROR. | |
--onFailure |
continue_on_failure |
Action to perform when the scan fails. Options: fail_the_build, continue_on_failure |
--operatingEnvironment |
Set Operating environment for information purposes only | |
--otherOptions |
Additional arguments passed to the sarif generator | |
--projectName |
Project Name - this is what will be displayed in the SOOS app | |
--sarifGenerator |
The generator for Sarif 2.1 ingest: file, gitleaks, opengrep, semgrep, sonarqube |