compliance-scanner-agent/docs/reference/glossary.md

# Glossary

A reference of key terms used throughout Certifai.

## Security Terms

**SAST (Static Application Security Testing)**
Analysis of source code to find vulnerabilities without running the application. Certifai uses Semgrep for SAST scanning.

**DAST (Dynamic Application Security Testing)**
Testing a running application by sending crafted requests and analyzing responses. Finds vulnerabilities that only appear at runtime.

**SBOM (Software Bill of Materials)**
A complete inventory of all software components (libraries, packages, frameworks) that your application depends on, including versions and licenses.

**CVE (Common Vulnerabilities and Exposures)**
A standardized identifier for publicly known security vulnerabilities. Each CVE has a unique ID (e.g. CVE-2024-1234) and is tracked in the National Vulnerability Database.

**False Positive**
A finding that is flagged as a vulnerability by a scanner but is not actually a security issue in context. For example, a SQL injection warning on a query that uses parameterized statements correctly.

**Triage**
The process of reviewing a security finding and deciding what to do with it: confirm it as real, mark it as a false positive, or accept the risk and ignore it.

**Fingerprint**
A unique hash generated for each finding based on the scanner, file path, line number, and vulnerability type. Used for deduplication so the same issue is not reported twice.

**Confidence Score**
A value from 0.0 to 1.0 assigned by the AI triage engine, indicating how certain the LLM is about its assessment of a finding.

**CWE (Common Weakness Enumeration)**
A community-developed list of software and hardware weakness types. Findings often reference a CWE ID to categorize the type of vulnerability.

**CVSS (Common Vulnerability Scoring System)**
A standardized framework for rating the severity of security vulnerabilities on a scale of 0.0 to 10.0.

## License Terms

**Copyleft License**
A license that requires derivative works to be distributed under the same license terms. Examples: GPL-2.0, GPL-3.0, AGPL-3.0, LGPL-2.1, LGPL-3.0, MPL-2.0.

**Permissive License**
A license that allows broad freedom to use, modify, and distribute software with minimal restrictions. Examples: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC.

## Standards and Formats

**CycloneDX**
An OWASP standard for SBOM formats. Certifai supports export in CycloneDX 1.5 JSON format.

**SPDX (Software Package Data Exchange)**
A Linux Foundation standard for communicating software bill of materials information. Certifai supports export in SPDX 2.3 format.

## Tools

**Semgrep**
An open-source static analysis tool that finds bugs and enforces code standards using pattern-matching rules. Used by Certifai for SAST scanning.

**Syft**
An open-source tool for generating SBOMs from container images and filesystems. Used by Certifai to extract dependency information.

**Grype**
An open-source vulnerability scanner for container images and filesystems. Used by Certifai to match dependencies against known vulnerabilities.

## Protocols

**MCP (Model Context Protocol)**
An open standard that allows LLM-powered tools to connect to external data sources and call tools. Certifai exposes security data through MCP so AI assistants can query findings, SBOMs, and DAST results.

**PKCE (Proof Key for Code Exchange)**
An extension to the OAuth 2.0 authorization code flow that prevents authorization code interception attacks. Used in Certifai's authentication flow.