sharang/compliance-scanner-agent
1
0
Fork 0
Code Issues 51 Pull Requests 1 Actions Packages Projects Releases 1 Wiki Activity
Files
76260acc76ea8d20825ac220e16d15db694bd72d
compliance-scanner-agent/docs/reference/glossary.md
Sharang Parnerkar c253e4ef5e
Some checks failed
CI / Clippy (push) Failing after 2m49s
Details
CI / Security Audit (push) Has been skipped
Details
CI / Tests (push) Has been skipped
Details
CI / Detect Changes (push) Has been skipped
Details
CI / Format (pull_request) Successful in 3s
Details
CI / Clippy (pull_request) Failing after 2m52s
Details
CI / Security Audit (pull_request) Has been skipped
Details
CI / Tests (pull_request) Has been skipped
Details
CI / Format (push) Successful in 3s
Details
CI / Deploy Agent (push) Has been skipped
Details
CI / Deploy Dashboard (push) Has been skipped
Details
CI / Deploy Docs (push) Has been skipped
Details
CI / Deploy MCP (push) Has been skipped
Details
CI / Detect Changes (pull_request) Has been skipped
Details
CI / Deploy Agent (pull_request) Has been skipped
Details
CI / Deploy Dashboard (pull_request) Has been skipped
Details
CI / Deploy Docs (pull_request) Has been skipped
Details
CI / Deploy MCP (pull_request) Has been skipped
Details
docs: rewrite user docs, fix modal scroll, webhook URL, and sccache 
Rewrite all public documentation to be user-facing only:
- Remove deployment, configuration, and self-hosting sections
- Add guide pages for SBOM, issues, webhooks & PR reviews
- Add reference pages for glossary and tools/scanners
- Add 12 screenshots from live dashboard
- Explain MCP, LLM triage, false positives, human-in-the-loop

Fix edit repository modal not scrollable (max-height + overflow-y).
Show full webhook URL using window.location.origin instead of path.
Unset RUSTC_WRAPPER in agent cargo commands to avoid sccache errors.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-11 14:17:46 +01:00

71 lines
3.4 KiB
Markdown
Raw Blame History

# Glossary
A reference of key terms used throughout Certifai.
## Security Terms
**SAST (Static Application Security Testing)**
Analysis of source code to find vulnerabilities without running the application. Certifai uses Semgrep for SAST scanning.
**DAST (Dynamic Application Security Testing)**
Testing a running application by sending crafted requests and analyzing responses. Finds vulnerabilities that only appear at runtime.
**SBOM (Software Bill of Materials)**
A complete inventory of all software components (libraries, packages, frameworks) that your application depends on, including versions and licenses.
**CVE (Common Vulnerabilities and Exposures)**
A standardized identifier for publicly known security vulnerabilities. Each CVE has a unique ID (e.g. CVE-2024-1234) and is tracked in the National Vulnerability Database.
**False Positive**
A finding that is flagged as a vulnerability by a scanner but is not actually a security issue in context. For example, a SQL injection warning on a query that uses parameterized statements correctly.
**Triage**
The process of reviewing a security finding and deciding what to do with it: confirm it as real, mark it as a false positive, or accept the risk and ignore it.
**Fingerprint**
A unique hash generated for each finding based on the scanner, file path, line number, and vulnerability type. Used for deduplication so the same issue is not reported twice.
**Confidence Score**
A value from 0.0 to 1.0 assigned by the AI triage engine, indicating how certain the LLM is about its assessment of a finding.
**CWE (Common Weakness Enumeration)**
A community-developed list of software and hardware weakness types. Findings often reference a CWE ID to categorize the type of vulnerability.
**CVSS (Common Vulnerability Scoring System)**
A standardized framework for rating the severity of security vulnerabilities on a scale of 0.0 to 10.0.
## License Terms
**Copyleft License**
A license that requires derivative works to be distributed under the same license terms. Examples: GPL-2.0, GPL-3.0, AGPL-3.0, LGPL-2.1, LGPL-3.0, MPL-2.0.
**Permissive License**
A license that allows broad freedom to use, modify, and distribute software with minimal restrictions. Examples: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC.
## Standards and Formats
**CycloneDX**
An OWASP standard for SBOM formats. Certifai supports export in CycloneDX 1.5 JSON format.
**SPDX (Software Package Data Exchange)**
A Linux Foundation standard for communicating software bill of materials information. Certifai supports export in SPDX 2.3 format.
## Tools
**Semgrep**
An open-source static analysis tool that finds bugs and enforces code standards using pattern-matching rules. Used by Certifai for SAST scanning.
**Syft**
An open-source tool for generating SBOMs from container images and filesystems. Used by Certifai to extract dependency information.
**Grype**
An open-source vulnerability scanner for container images and filesystems. Used by Certifai to match dependencies against known vulnerabilities.
## Protocols
**MCP (Model Context Protocol)**
An open standard that allows LLM-powered tools to connect to external data sources and call tools. Certifai exposes security data through MCP so AI assistants can query findings, SBOMs, and DAST results.
**PKCE (Proof Key for Code Exchange)**
An extension to the OAuth 2.0 authorization code flow that prevents authorization code interception attacks. Used in Certifai's authentication flow.
Reference in New Issue View Git Blame Copy Permalink