SAN FRANCISCO, Oct. 25, 2023 (GLOBE NEWSWIRE) -- Cycode, makers of the leading Application Security Posture Management (ASPM) platform, today announced the release of Raven, a CI/CD pipeline security scanner. Raven makes hidden risks visible by connecting the dots across vulnerabilities woven throughout the pipeline that when viewed collectively, reveal a much greater risk than when assessed as one-off CVEs. Released as an open source project, Raven boosts the ability of security teams to implement secure software development practices, enabling them to work more strategically with DevOps teams while maturing their organization's ASPM capabilities.
As companies migrate to the cloud, security leaders are seizing the opportunity to "shift security left." In their urgency to implement this paradigm shift, they often overshoot, placing too much responsibility for the company’s application security posture on already-overburdened developers. And, despite the increasing overlap between security and development teams, they continue to work in silos, compounding miscommunications and process breakdowns. Cycode’s mission is to leverage its ASPM platform to make AppSec – and pipeline security in particular – a team sport, and Raven helps to further its vision.
"Similar to Cimon, Raven is another free tool created by the Cycode team to help organizations strengthen their pipeline security and AppSec posture,” said Oreen Livni, Senior Security Researcher at Cycode. “While Cimon also helps secure your CI/CD pipeline, in addition, Raven tells you the story across vulnerabilities and any blind spots. We're working on continuing to contribute unique value to the broader community and are excited to share Raven with the world.”
Introducing Raven
Initially focused on GitHub, Raven scans GitHub workflows and breaks them down into individual components. These components are then inserted into a Neo4j database as distinct types of nodes, with relationships established between them. This allows for effortless scanning and identification of vulnerabilities in workflows.
Raven utilizes a knowledge base built over the course of more than a year of comprehensive research into GitHub Actions by the Cycode research team. Throughout this period, data was gathered from a wide spread of systems, thousands of projects and multiple configurations – an effort that led Cycode to release Raven as an open-source tool to help enhance CI/CD security and support the community.
Raven consists of the following components:
- Downloader: To download workflows and actions necessary for analysis. Workflows can be downloaded for a specified organization or for all repositories, sorted by star count. Performing this step is a prerequisite for analyzing the workflows.
- Indexer: To digest the downloaded data into a graph-based Neo4j database. This process involves establishing relationships between workflows, actions, jobs, steps, etc.
- Query Library: A library of predefined queries based on research conducted by the community.
- Report: Raven has a simple way of reporting suspicious findings. As an example, it can be incorporated into the CI process for pull requests and run there.
Using Raven, Cycode researchers were able to identify and report security vulnerabilities in some of the most popular repositories hosted on GitHub, including, FreeCodeCamp - the most popular project on GitHub, Storybook - one of the top frontend frameworks and Fluent UI by Microsoft.
A deeper dive on Raven can be found on the Cycode blog, here.
Raven is available for download here.
About Cycode
Cycode is a leading Application Security Posture Management (ASPM) platform that scales and standardizes AppSec without slowing down the business. The security first, developer-first platform enables enterprises to deliver software fast without compromising on security. With Cycode’s complete ASPM, security teams can eliminate context switching, amplify visibility, prioritize and eliminate risk to ensure end-to-end code to cloud coverage, leaving no room for attacks to go unnoticed. Backed by tier-one investors Insight Partners and YL Ventures, the series-B company has raised $80M and boasts a number of the top global Fortune 100 customers in the world that are gaining immediate value.
Book a demo of Cycode’s ASPM platform here.
Media Contact:
Liz Safran
Montner Tech PR
lsafran@montner.com