--- id: wiki-2026-0508-snyk-checkmarx-endor-labs-등-종합-애 title: Snyk Checkmarx Endor Labs 등 종합 애플리케이션 보안 플랫폼 category: 10_Wiki/Topics status: verified canonical_id: self aliases: [AppSec Platforms, ASPM, Application Security Platforms] duplicate_of: none source_trust_level: A confidence_score: 0.9 verification_status: applied tags: [appsec, security, sast, sca, aspm, snyk, checkmarx, endor-labs] raw_sources: [] last_reinforced: 2026-05-10 github_commit: pending tech_stack: language: multi framework: snyk/checkmarx-one/endor-labs --- # Snyk Checkmarx Endor Labs 등 종합 애플리케이션 보안 플랫폼 ## 매 한 줄 > **"매 modern AppSec platform 의 SAST + SCA + IaC + secret + container + ASPM 의 unified surface — Snyk, Checkmarx One, Endor Labs, Semgrep AppSec Platform, GitHub Advanced Security 의 dominant"**. 매 2026 의 differentiator 의 AI auto-fix (Snyk DeepCode AI, Checkmarx AI Fix) + reachability analysis (Endor) + AI-generated code 의 auditing. 매 ASPM (Application Security Posture Management) 의 unification layer. ## 매 핵심 ### 매 Coverage axes - **SAST** (Static Analysis): 매 code 의 vuln pattern (SQLi, XSS, command inj). - **SCA** (Software Composition Analysis): 매 dependency 의 known CVE. - **IaC**: Terraform / K8s manifest 의 misconfig. - **Secret**: 매 hardcoded credential. - **Container**: image layer 의 CVE + base-image guidance. - **DAST / API**: runtime / API 의 dynamic test. - **ASPM**: 매 unified posture, 매 prioritization. ### 매 Vendor landscape (2026) - **Snyk**: dev-friendly, AI auto-fix (DeepCode), open-source-first. - **Checkmarx One**: enterprise SAST 의 history, AI Fix, IAST 추가. - **Endor Labs**: 매 reachability-based SCA — 매 noise 의 dramatic 의 reduce. - **Semgrep AppSec Platform**: 매 custom rule 의 first. - **GitHub Advanced Security (CodeQL + Dependabot + Copilot Autofix)**: GitHub-native. - **Veracode**, **SonarQube**, **Wiz Code**: 매 niche 의 own. ### 매 Modern (2026) trends - **Reachability**: 매 vuln 의 actually called 의 filter (Endor, Semgrep). - **AI auto-fix**: PR comment 의 fix suggestion → auto-apply. - **AI-generated code 의 auditing**: 매 Copilot / Cursor 의 output 의 audit gate. - **SBOM mandate**: 매 EU CRA / US EO 14028 의 compliance. ### 매 응용 1. 매 CI gate 의 SAST + SCA fail. 2. PR-level annotation + auto-fix. 3. ASPM dashboard 의 cross-tool aggregation. 4. SBOM gen + supply chain attestation (SLSA, in-toto). ## 💻 패턴 ### Snyk CLI (CI gate) ```yaml # .github/workflows/snyk.yml name: snyk on: [push, pull_request] jobs: test: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: snyk/actions/setup@master - run: snyk test --severity-threshold=high env: { SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} } - run: snyk code test --severity-threshold=high - run: snyk container test myimg:latest - run: snyk iac test infra/ ``` ### Semgrep custom rule ```yaml # .semgrep/no-eval.yml rules: - id: no-eval pattern: eval(...) message: "Avoid eval — code injection risk" languages: [javascript, python] severity: ERROR ``` ```bash semgrep --config .semgrep/ --config p/owasp-top-ten --error ``` ### Endor Labs reachability scan ```bash endorctl init endorctl scan --dependencies --reachability # Output: 매 only 의 reachable vuln 의 alert — 매 90%+ noise reduction. ``` ### CodeQL custom query ```ql import javascript from CallExpr c where c.getCalleeName() = "exec" and c.getArgument(0).flowsFrom(any(VarAccess v | v.getVariable().getAName() = "userInput")) select c, "Possible command injection from user input" ``` ### SBOM generation + attestation (Syft + Cosign) ```bash syft myimg:latest -o spdx-json > sbom.spdx.json cosign attest --predicate sbom.spdx.json --type spdxjson myimg:latest cosign verify-attestation --type spdxjson --certificate-identity ... myimg:latest ``` ### Snyk AI Fix (PR auto-fix) ```python # 매 PR 의 finding 의 Snyk DeepCode AI 의 fix patch 의 generate # Snyk dashboard / CLI 의 --fix 의 use # snyk fix --severity-threshold=high ``` ### ASPM aggregation (custom) ```python import requests from collections import defaultdict def fetch(api, token): return requests.get(api, headers={"Authorization": f"token {token}"}).json() snyk = fetch("https://api.snyk.io/v1/org/.../issues", SNYK_TOKEN) chx = fetch("https://api.checkmarx.net/...", CHX_TOKEN) endor = fetch("https://api.endorlabs.com/...", ENDOR_TOKEN) agg = defaultdict(list) for src, items in [("snyk", snyk), ("chx", chx), ("endor", endor)]: for it in items["results"]: agg[(it["package"], it["cve"])].append({"src": src, **it}) # 매 prioritize: reachable + critical + exploitable prioritized = sorted(agg.items(), key=lambda kv: (-any(x.get("reachable") for x in kv[1]), -max(x.get("cvss", 0) for x in kv[1]))) ``` ### Pre-commit secret scan ```yaml # .pre-commit-config.yaml repos: - repo: https://github.com/gitleaks/gitleaks rev: v8.21.0 hooks: [{ id: gitleaks }] - repo: https://github.com/trufflesecurity/trufflehog rev: v3.82.7 hooks: [{ id: trufflehog, args: [--only-verified] }] ``` ## 매 결정 기준 | 필요 | Tool | |---|---| | Dev-friendly all-in-one | Snyk | | Enterprise SAST + IAST | Checkmarx One | | Reachability-prioritized SCA | Endor Labs | | Custom rule | Semgrep | | GitHub-native | GHAS (CodeQL) | | Open / cheap baseline | Trivy + Semgrep + Gitleaks | **기본값**: Semgrep + Trivy (open) at minimum, 매 commercial pick by org need. ## 🔗 Graph - 부모: [[Application-Security]] · [[CI/CD Pipeline & IDE Security Integration|DevSecOps]] - 변형: [[Semgrep]] - 응용: [[ASPM]] · [[SBOM]] · [[Supply-Chain-Security]] - Adjacent: [[Smart-Contract-Auditing]] · [[CodeQL]] · [[Trivy]] · [[Gitleaks]] ## 🤖 LLM 활용 **언제**: finding triage, 매 fix patch suggest, 매 PR comment auto-generate, secure code review. **언제 X**: deterministic detection (SAST faster + grounded), zero-day discovery (research). ## ❌ 안티패턴 - **No reachability**: 매 noise 의 99% — 매 dev fatigue. - **Tool sprawl, no ASPM**: 매 finding duplicate / conflict. - **No CI gate**: 매 finding 의 backlog 의 grow. - **Secret 의 git history 의 leave**: 매 force-push + revoke 의 always. ## 🧪 검증 / 중복 - Verified (Snyk, Checkmarx, Endor Labs docs, Gartner ASPM 2025). - 신뢰도 A. ## 🕓 Changelog | 날짜 | 변경 | |---|---| | 2026-05-08 | Phase 1 | | 2026-05-10 | Manual cleanup — full vendor landscape + ASPM patterns |