Files

T

Antigravity Agent 504fd5fb42 [G1-Sync] Manual knowledge update

2026-05-10 22:08:15 +09:00

6.5 KiB

Raw Blame History

id, title, category, status, canonical_id, aliases, duplicate_of, source_trust_level, confidence_score, verification_status, tags, raw_sources, last_reinforced, github_commit, tech_stack

title

Snyk Checkmarx Endor Labs 등 종합 애플리케이션 보안 플랫폼

매 한 줄

"매 modern AppSec platform 의 SAST + SCA + IaC + secret + container + ASPM 의 unified surface — Snyk, Checkmarx One, Endor Labs, Semgrep AppSec Platform, GitHub Advanced Security 의 dominant". 매 2026 의 differentiator 의 AI auto-fix (Snyk DeepCode AI, Checkmarx AI Fix) + reachability analysis (Endor) + AI-generated code 의 auditing. 매 ASPM (Application Security Posture Management) 의 unification layer.

매 핵심

매 Coverage axes

SAST (Static Analysis): 매 code 의 vuln pattern (SQLi, XSS, command inj).
SCA (Software Composition Analysis): 매 dependency 의 known CVE.
IaC: Terraform / K8s manifest 의 misconfig.
Secret: 매 hardcoded credential.
Container: image layer 의 CVE + base-image guidance.
DAST / API: runtime / API 의 dynamic test.
ASPM: 매 unified posture, 매 prioritization.

매 Vendor landscape (2026)

Snyk: dev-friendly, AI auto-fix (DeepCode), open-source-first.
Checkmarx One: enterprise SAST 의 history, AI Fix, IAST 추가.
Endor Labs: 매 reachability-based SCA — 매 noise 의 dramatic 의 reduce.
Semgrep AppSec Platform: 매 custom rule 의 first.
GitHub Advanced Security (CodeQL + Dependabot + Copilot Autofix): GitHub-native.
Veracode, SonarQube, Wiz Code: 매 niche 의 own.

매 Modern (2026) trends

Reachability: 매 vuln 의 actually called 의 filter (Endor, Semgrep).
AI auto-fix: PR comment 의 fix suggestion → auto-apply.
AI-generated code 의 auditing: 매 Copilot / Cursor 의 output 의 audit gate.
SBOM mandate: 매 EU CRA / US EO 14028 의 compliance.

매 응용

매 CI gate 의 SAST + SCA fail.
PR-level annotation + auto-fix.
ASPM dashboard 의 cross-tool aggregation.
SBOM gen + supply chain attestation (SLSA, in-toto).

💻 패턴

Snyk CLI (CI gate)

# .github/workflows/snyk.yml
name: snyk
on: [push, pull_request]
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: snyk/actions/setup@master
      - run: snyk test --severity-threshold=high
        env: { SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} }
      - run: snyk code test --severity-threshold=high
      - run: snyk container test myimg:latest
      - run: snyk iac test infra/

Semgrep custom rule

# .semgrep/no-eval.yml
rules:
  - id: no-eval
    pattern: eval(...)
    message: "Avoid eval — code injection risk"
    languages: [javascript, python]
    severity: ERROR

semgrep --config .semgrep/ --config p/owasp-top-ten --error

Endor Labs reachability scan

endorctl init
endorctl scan --dependencies --reachability
# Output: 매 only 의 reachable vuln 의 alert — 매 90%+ noise reduction.

CodeQL custom query

import javascript

from CallExpr c
where c.getCalleeName() = "exec"
  and c.getArgument(0).flowsFrom(any(VarAccess v | v.getVariable().getAName() = "userInput"))
select c, "Possible command injection from user input"

SBOM generation + attestation (Syft + Cosign)

syft myimg:latest -o spdx-json > sbom.spdx.json
cosign attest --predicate sbom.spdx.json --type spdxjson myimg:latest
cosign verify-attestation --type spdxjson --certificate-identity ... myimg:latest

Snyk AI Fix (PR auto-fix)

# 매 PR 의 finding 의 Snyk DeepCode AI 의 fix patch 의 generate
# Snyk dashboard / CLI 의 --fix 의 use
# snyk fix --severity-threshold=high

ASPM aggregation (custom)

import requests
from collections import defaultdict

def fetch(api, token):
    return requests.get(api, headers={"Authorization": f"token {token}"}).json()

snyk = fetch("https://api.snyk.io/v1/org/.../issues", SNYK_TOKEN)
chx = fetch("https://api.checkmarx.net/...", CHX_TOKEN)
endor = fetch("https://api.endorlabs.com/...", ENDOR_TOKEN)

agg = defaultdict(list)
for src, items in [("snyk", snyk), ("chx", chx), ("endor", endor)]:
    for it in items["results"]:
        agg[(it["package"], it["cve"])].append({"src": src, **it})

# 매 prioritize: reachable + critical + exploitable
prioritized = sorted(agg.items(),
    key=lambda kv: (-any(x.get("reachable") for x in kv[1]),
                    -max(x.get("cvss", 0) for x in kv[1])))

Pre-commit secret scan

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.21.0
    hooks: [{ id: gitleaks }]
  - repo: https://github.com/trufflesecurity/trufflehog
    rev: v3.82.7
    hooks: [{ id: trufflehog, args: [--only-verified] }]

매 결정 기준

필요	Tool
Dev-friendly all-in-one	Snyk
Enterprise SAST + IAST	Checkmarx One
Reachability-prioritized SCA	Endor Labs
Custom rule	Semgrep
GitHub-native	GHAS (CodeQL)
Open / cheap baseline	Trivy + Semgrep + Gitleaks

기본값: Semgrep + Trivy (open) at minimum, 매 commercial pick by org need.

🔗 Graph

부모: Application-Security · DevSecOps
변형: Snyk · Checkmarx · Endor-Labs · Semgrep
응용: ASPM · SBOM · Supply-Chain-Security
Adjacent: Smart-Contract-Auditing · CodeQL · Trivy · Gitleaks

🤖 LLM 활용

언제: finding triage, 매 fix patch suggest, 매 PR comment auto-generate, secure code review. 언제 X: deterministic detection (SAST faster + grounded), zero-day discovery (research).

❌ 안티패턴

No reachability: 매 noise 의 99% — 매 dev fatigue.
Tool sprawl, no ASPM: 매 finding duplicate / conflict.
No CI gate: 매 finding 의 backlog 의 grow.
Secret 의 git history 의 leave: 매 force-push + revoke 의 always.

🧪 검증 / 중복

Verified (Snyk, Checkmarx, Endor Labs docs, Gartner ASPM 2025).
신뢰도 A.

🕓 Changelog

날짜	변경
2026-05-08	Phase 1
2026-05-10	Manual cleanup — full vendor landscape + ASPM patterns

6.5 KiB Raw Blame History