Cygives: Cycode’s New Developer Initiative

user profile
Sr. Product Marketing Manager

Cycode is excited to announce Cygives, a new initiative that gives developers a comprehensive set of free, open source security solutions to help deliver safe code faster. 

Malicious code-led compromises continue to plague headlines. Take the recent XZ backdoor software supply chain exploit, for example. If undetected, exploits like XZ have far-reaching, nation-state implications. AppSec teams are under increasing pressure to protect their software applications from threats like these, while also managing operational obstacles such as tool sprawl, alert fatigue, and compliance mandates. In fact, the Cycode State of ASPM Report 2024 revealed that only 29% of AppSec teams feel equipped to manage current threats.

To help ease the pain of an ever-expanding attack surface, Cycode is pleased to reaffirm our commitment to developer-first security with our open source projects through Cygives.

Cygives’ Commitment to Developer-First Security

Cygives provides free and open source tools that are robust and innovative. Cygives is more than just a toolkit. It’s a collaborative community that invites developers from all backgrounds to engage, enhance, and evolve their practices to meet modern security challenges head-on. By leveraging the collective expertise of the global development community, Cygives democratizes software security, making it easy for developers everywhere to integrate security features within their organizations. 

Our ongoing commitment to code-to-cloud security means supporting our community of 180,000 developers. Developers now have free access to industry-leading, open source solutions like Bearer SAST, Raven, and Cimon. These tools streamline secure both code and CI/CD pipelines by providing unparalleled visibility and remediation capabilities. 

Join Cycode as we build safer software, one line of code at a time.

Bearer SAST

Bearer CLI is a Static Application Security Testing (SAST) tool that scans your source code and analyzes your data flows to discover, filter, and prioritize security and privacy risks. Bearer CLI is an open source scanner that finds and fixes security risks and vulnerabilities in your code. 

SAST tools are infamous for burying security teams and developers under hundreds of alerts with little context and no prioritization. Security analysts often must triage all these issues manually.

Bearer takes a different approach. The most vulnerable asset today is sensitive data, so we start there to prioritize findings by assessing sensitive data flows. In this way, we highlight what is critical, and what is not. We believe that by linking security issues with business impact and risk of a data breach or data leak, we can build better and more robust software at no cost.

By being free and open, extendable by design, and built with a great developer UX in mind, Bearer gives developers and security professionals an unparalleled experience.

Raven

Raven is our cutting-edge CI/CD Pipeline Security Scanner. Raven, which stands for Risk Analysis and Vulnerability Enumeration for CI/CD Pipeline Security, is an open source project on GitHub, that focuses on GitHub Actions

GitHub Actions have become an integral part of CI/CD, automating everything from code testing to deployment. The widespread adoption of GitHub Actions brings a heightened risk of vulnerabilities, making its security more critical than ever. 

This is where Raven comes in. Raven scans GitHub workflows and breaks them down into individual components. These components are then inserted into a Neo4j database as distinct types of nodes, with relationships established between them. This allows for effortless scanning and identification of vulnerabilities in workflows.

Raven uses an extensive knowledge base of comprehensive research into GitHub Actions built by the Cycode research team. The Cycode research team gathered data from a wide range of systems, thousands of projects, and multiple configurations to deliver unparalleled visibility into GitHub actions.

Cycode is committed to enhancing security in CI/CD pipelines. Our dedication to making pipelines more secure and resilient is at the core of our mission and the reason we developed Raven.

Cimon

Short for CI Monitor and pronounced “Simon,” Cimon is a cutting-edge runtime security agent designed to safeguard your CI/CD pipelines against sophisticated cyberattacks. It leverages eBPF technology to monitor and mitigate attacks within the Linux kernel, providing real-time protection and preventing unauthorized access to your valuable assets.

Cimon prevents attackers from performing malicious actions. By monitoring and mitigating attacks at the kernel level, Cimon ensures that even if your build environment is compromised, attackers cannot exfiltrate or tamper with your sensitive data. Cimon does this by dividing tasks into two phases: 

  • Learning – Cimon analyzes the behavior of your CI pipeline to understand its normal operations. 
  • Prevention – Cimon creates a preventive security policy based on the learned data and applies it to your pipeline. By monitoring and controlling process execution, network access, and file access, Cimon detects breaches, identifies compromised pipeline runners, and takes remedial measures.

With easy onboarding and a developer-friendly experience, Cimon detects, prevents, and responds to software supply chain threats. It is an essential tool for modern software development teams who want to protect their pipelines.

Learn More About Cycode and Cygives

Cycode is excited to support our community with Cimon, Raven, and Bearer CLI. We believe these security solutions help organizations deliver safe code faster. 

We are also the leading Application Security Posture Management (ASPM) and Software Supply Chain Security platform, providing peace of mind to our customers. Our complete ASPM platform scales and standardizes developer security without slowing down the business, delivering safe code, faster. Cycode delivers cyber resiliency through unmatched visibility, risk-driven prioritization and just-in-time remediation of code vulnerabilities at scale. Cycode’s Risk Intelligence Graph (RIG), the brain behind the platform, provides traceability across the entire SDLC through natural language. As a purpose-built platform for developer security, Cycode delivers visibility, prioritization, and remediation of vulnerabilities across the entire SDLC.

To learn more about Cycode’s free and open security solutions for developers, visit Cygives now.

Originally published: April 30, 2024