Devassist: Realtime scanners (OSS, Secrets, Containers, IaC) with unified wrapper and enhanced parsing(AST-115438)

[cx-atish-jadhav]

Summary

• Adds end-to-end support for all realtime scanners: OSS, Secrets, Containers, and IaC.
• Introduces a unified realtime scan wrapper to reduce duplication and standardize execution.
• Provides resilient JSON parsing and normalized models across scanners.
• Adds configuration hooks and minor logging improvements for cleaner realtime output.

References

• AST-121245
• AST-115438
• AST-115437

Testing Automated

• Unit tests:

  • Validate JSON parsing, error handling, and model normalization for OSS, Secrets, Containers, and IaC scanners.
  • Cover edge cases such as blank lines, malformed JSON, missing keys, and null/empty arrays.

• Integration tests (assumption-guarded):

  • Execute CLI-backed realtime scans for representative inputs and assert non-null, well-formed results.
  • Verify scan consistency by running multiple times on the same source.
  • Validate ignore-list behavior (where applicable) produces stable or reduced result sets.

Manual

• Prerequisites: Configure PATH_TO_EXECUTABLE for the Checkmarx CLI and ensure environment access as needed.

• OSS:

  • Run a realtime scan on a dependency manifest (e.g., Maven/Node/Python format).
  • Verify packages are returned with expected fields; optionally re-run with an ignore file and confirm filtered output.

• Secrets:

  • Run a realtime scan on a known file with and without embedded credentials.
  • Verify findings on vulnerable files and low/no findings on clean files.

• Containers:

  • Run a realtime scan on a Dockerfile or image reference.
  • Verify images and any associated vulnerabilities appear as expected.

• IaC:

  • Run a realtime scan on IaC source (e.g., Terraform/Kubernetes manifests).
  • Confirm issues are surfaced with locations and metadata.

Not covered / notes

• Integration tests are assumption-guarded and will skip where the CLI or environment isn’t available.

Expected outcomes

• All new unit tests pass locally and in CI.
• Existing tests continue to pass without regressions.
• Realtime scans return structured, non-null results and behave consistently across repeated runs.

[cx-ben-alvo]

Checkmarx One – Scan Summary & Details – f9b6d1b9-1ccc-46a4-b51a-2144a330fe48

Great job! No new security vulnerabilities introduced in this pull request

---

Use @Checkmarx to reach out to us for assistance.

Just send a PR comment with @Checkmarx followed by a natural language request.

Examples: @Checkmarx how are you able to help me? @Checkmarx rescan this PR