Page Title: AppSec Toolchain (Shield / CI Integration) Summary: VaultMesh uses an integrated application security toolchain rooted on shield-vm and CI pipelines. It combines vulnerability scanning, secret detection, SBOM generation, and IaC analysis into a coherent flow, with findings eligible to be logged into the proof spine for high-risk assets. Key Findings: - Nuclei, Trivy, Semgrep, TruffleHog, Gitleaks, Checkov, Syft, and Grype cover distinct layers. - shield-vm is the natural home for heavy security scans and OffSec tooling. - CI pipelines can call out to shield-vm or run scanners directly in job containers. - Secret detection runs in both pre-commit and CI stages for defense-in-depth. - SBOM generation and vulnerability scanning support long-term supply chain tracking. Components: - Nuclei (web and service vuln scanning). - Trivy (container/filesystem/SBOM vulnerability scanner). - Semgrep (static code analysis). - TruffleHog / Gitleaks (secret discovery). - Checkov (IaC misconfiguration scanner). - Syft (SBOM generator). - Grype (vulnerability scanner against SBOMs). Tool Capabilities: | Tool | Target Types | Output | |------------|----------------------------|-------------------------| | nuclei | URLs, IPs, domains | Findings by severity | | trivy | Images, dirs, repos, SBOMs | CVEs, secrets, configs | | semgrep | Source code directories | Security findings | | trufflehog | Git, S3, GCS, etc. | Verified secrets | | gitleaks | Git repos, filesystems | Secret locations | | checkov | Terraform, K8s, Helm, etc. | Misconfigurations | | syft | Images, dirs, archives | CycloneDX/SPDX SBOM | | grype | Images, dirs, SBOMs | Vulnerability list | Example Scans: Nuclei Web Scan: ```json { "targets": ["https://example.com"], "severity": ["high", "critical"], "tags": ["cve", "rce"] } ``` Trivy Container Scan: ```json { "target": "vaultmesh-core:latest", "scan_type": "image", "scanners": ["vuln", "secret"], "severity": ["HIGH", "CRITICAL"] } ``` Secret Detection: ```json { "target": "/srv/git/vaultmesh", "source_type": "git", "only_verified": true } ``` MCP Tools: - offsec_appsec_nuclei_scan - offsec_appsec_trivy_scan - offsec_appsec_semgrep_scan - offsec_appsec_trufflehog_scan - offsec_appsec_gitleaks_scan - offsec_appsec_checkov_scan - offsec_appsec_syft_sbom - offsec_appsec_grype_scan Workflows: 1. SBOM Pipeline: Syft → produce CycloneDX JSON → Grype → vulnerability report. 2. Pre-merge Scans: CI job runs Semgrep, Trivy, Gitleaks on merge requests. 3. Periodic Deep Scans: shield-vm runs scheduled AppSec scans, logging high-severity findings. 4. Policy Integration: High-severity or critical findings feed into Lawchain/Lawchain-like policies. Security Notes: - Nuclei and Trivy should be rate-limited when targeting external assets. - Secret detection in CI uses only_verified where possible to reduce noise. - Baseline files can exclude accepted findings while still tracking new issues. - AppSec findings for high-value systems may be recorded as receipts in the proof system. Dependencies: - offsec-mcp server with tools installed (on shield-vm or lab nodes). - Network access for pulling scanner templates and vulnerability databases. - CI integration (GitLab pipelines on gate-vm) to trigger scans automatically.