Code Analysis (White Box)

These tools require a GitHub connection to access your source code. They run in addition to all black box tools.

📝 Semgrep (SAST)

Static Application Security Testing - finds vulnerabilities in your source code.

What it finds:

  • Injection vulnerabilities (SQL, command, XSS)
  • Insecure cryptography usage
  • Hardcoded secrets
  • Authentication bypass patterns
  • Framework-specific anti-patterns (React, Django, Express, etc.)

Languages supported: Python, JavaScript/TypeScript, Java, Go, Ruby, PHP, C#, and more.

Docker image: semgrep/semgrep

📦 Trivy (SCA)

Software Composition Analysis - checks your dependency files for known vulnerabilities.

What it finds:

  • Vulnerable npm/pip/Maven/Go dependencies
  • License compliance issues
  • Outdated packages with known CVEs
  • Transitive dependency vulnerabilities

Files checked: package-lock.json, requirements.txt, go.sum, pom.xml, Gemfile.lock, etc.

Docker image: aquasec/trivy

🔑 Gitleaks (Secret Detection)

Checks your Git history for accidentally committed secrets.

What it finds:

  • API keys (AWS, GCP, Azure, Stripe, etc.)
  • Database connection strings
  • OAuth tokens
  • Private keys
  • Passwords in configuration files

Docker image: zricethezav/gitleaks

Enabling white box analysis

  1. Go to Dashboard > Account > GitHub
  2. Connect via OAuth or install the TurboPentest GitHub App
  3. Grant access to the repositories you want to test
  4. When starting a pentest, provide the repoUrl parameter

The GitHub App is recommended as it provides fine-grained repository access without exposing your personal token.

Previous

Web Application Tools

Next

Shannon AI

On this page