Comprehensive Features
Flyingduck offers a wide range of features to help organizations secure their codebase, manage vulnerabilities, and maintain compliance. Below is a detailed overview of the key features available in Flyingduck.
It offers policy controls and automation to enforce security best practices across the software development lifecycle (SDLC). Allows security teams to maintain a strong security posture by continuously monitoring code, cloud environments, and CI/CD pipelines for vulnerabilities and misconfigurations.
Inventory
Find the list of all the repositories, pipelines from multiple VCS providers such as GitHub, BitBucket, Azure DevOps and GitLab and associated findings across different organizations or projects with an intuitive interface.
Code Security
Find SBOM, SCA, Secrets, SAST and Business Logic Issues powered by AI features available to secure your codebase.
SBOM (Software Bill of Materials)
| Feature | Description |
|---|---|
| Open Source Package Inventory | Maintain a complete inventory of all open-source packages used across projects. |
| Commit-Level Dependency Tree | Display complete dependency tree for every commit showing parent and child package relationships with associated vulnerabilities. |
| Multi-Project Dependency Discovery | Whether you have a microservice or a monolith application with custom project structure, our agent would be able to discover dependencies across multi-language repositories and group the issues by subproject level |
| Dependency Tree View | Visualize package relationships including direct and transitive dependencies. |
| Direct vs Transitive Classification | Differentiate between direct and transitive dependencies for better analysis. |
| SBOM Export | Export SBOMs in standard formats such as SPDX, CycloneDX, and JSON for compliance and analysis. |
SCA (Software Composition Analysis)
| Feature | Description |
|---|---|
| CVE Detection | Identify known vulnerabilities associated with open-source packages and their transitive dependencies. |
| Reachability Analysis | Determine whether vulnerable code paths are actually reachable in the application. Currently Supported for Python. |
| Custom Scoring | Flyingduck provides a custom risk score for each vulnerability based on multiple factors such as severity, exploitability, public exploit availability, KEV & Threat correlation to help prioritize remediation efforts. This helps the developers or security teams focus on the most critical issues. |
| Vulnerability Funnel View | Funnel view lets you navigate the fixable issues by filtering out the non-exploitable and non-fixable issues. This helps to focus on the critical issues that needs immediate attention. |
| Vulnerability Details | Provide comprehensive information for each vulnerability including description, severity, CVSS score, affected versions, and remediation guidance. |
| Smart Remediation Guidance | Recommend optimal upgrade paths based on risk and compatibility. Opimizes the developer's time by giving them flexible fixable options with breaking changes effort. |
Secrets Management
| Feature | Description |
|---|---|
| Secrets Detection | Detect over 150 types of hardcoded secrets in source code. |
| Active Secret Validation | Identify whether detected secrets are valid and pose real risk. |
| Secret Ignore Management | Allow developers to ignore secrets by file, line, or secret type. |
| Secret Audit Trail | Enable security teams to review and audit ignored secrets. |
SAST (Static Application Security Testing)
| Feature | Description |
|---|---|
| Static Application Security Testing | Detect security vulnerabilities directly from source code. |
| AI-Powered Remediation | Generate AI-based fix suggestions for identified vulnerabilities. |
| On-Prem Code Scanning | Perform source code scans within on-premise environments without uploading code. |
Business Logic Issues
Identify potential business logic flaws in the application code that could lead to security vulnerabilities or unintended behaviors. Our AI-powered analysis examines the codebase to detect patterns and scenarios that may indicate business logic issues, helping organizations enhance the overall security and reliability of their applications.
| Feature | Description |
|---|---|
| Business Logic Issue Detection | Identify potential business logic flaws in the application code. Potential security flaws such as OTP bypass, transaction manipulation, unauthorized access, etc. are difficult to detect using traditional methods. Flyingduck uses AI-powered analysis to identify such issues. |
| AI-Powered Analysis | Leverage advanced AI techniques to analyze code patterns and identify business logic vulnerabilities. |
Commit Security
| Feature | Description |
|---|---|
| Commit-Level Security Scanning | Scan every commit for secrets, open-source and code vulnerabilities. |
| Branch-Aware Risk Analysis | Differentiate security issues between production and non-production branches. |
| Commit History Tracking | Compare commits across branches to track issue history, resolved vulnerabilities, and newly introduced risks. |
| Issue Status Tracking | View pending, resolved, and ignored issues in each commit with detailed status information. |
| Categorized Issue View | Display comprehensive view of all security issues organized by category including SCA, secrets, and SAST. |
| Commit SBOM Visualization | View dependency tree and associated vulnerabilities for each commit with complete SBOM details. |
| Commit Metadata View | Display key metadata for each commit including repository, branch, author, timestamp, and scan status. |
| Commit Exports | Export commit-level security findings as PDF summary reports, Excel findings, and industry-standard SBOM files for remediation, analysis, and compliance. |
Flexible options to scan the code
Fits into organizational needs by providing multiple options to run the scans.
| Feature | Description |
|---|---|
| Scheduled Scans | Run automated security scans based on configured schedules across repositories and applications. |
| On-Demand Branch Scan | Trigger manual security scans on any specified branch to analyze SBOM, SCA, Secrets, and SAST at any time. |
| Scan in WorkFlows | Configure the scan agent in CI workflows on GitHub or any other supported VCS |
| CICD Tools | Configure the scan agent in CICD tools such as Jenkins or Cloud native CI solutions such as AWS Code Pipelines. |
Global SBOM
Generate and maintain a centralized Software Bill of Materials (SBOM) for all projects across the organization. This feature provides a holistic view of all open-source packages, their versions, and associated vulnerabilities, enabling better risk management and compliance.
| Feature | Description |
|---|---|
| Global SBOM Inventory | View comprehensive organization-wide inventory of all packages, versions, and their associated vulnerabilities across all repositories. |
| Global Package Search | Got a vulnerable package? Search for package usage across the entire organization with an easy interface and find the vulnerabilities across branches. |
| Reports | Generate the Global SBOM reports by ecosystem. |
Global Issues
Security teams can maintain a centralized inventory of all security issues across repositories, stages, and environments for effective triage and remediation. Helps to track the issue trends and resolved issues by the development teams.
| Feature | Description |
|---|---|
| Global Issues | Maintain a centralized inventory of all security issues across repositories, stages, and environments for effective triage and remediation. |
| Auditing | Ignore issues in case if you find something is not relevant and continuously audit the ignored issues. |
| Resolved Issues | Quickly find how many issues are being resolved by the development teams. |
Supply Chain Security
Improve supply chain security risks by identifying and managing transitive dependencies, development dependencies, and workflow dependencies across projects.
| Feature | Description |
|---|---|
| Transitive Dependency Detection | Identify and track nested dependencies introduced by direct packages. |
| Dev Dependency Inventory | Track dependencies used only during development, build, and testing phases. |
| Workflow Dependency Detection | Detect dependencies used in CI/CD workflow configuration files. ( Limited Support) |
Security Advisor
Help developers and security teams to choose the right open-source packages by providing detailed insights into package health, vulnerabilities, and risk factors before introducing them into the codebase.
| Feature | Description |
|---|---|
| Open-Source Package Explorer | Search and evaluate packages before introducing them into the codebase. |
| Transitive Risk Analysis | Analyze vulnerabilities and risks introduced by transitive dependencies. |
| Version Vulnerability Comparison | Compare package versions based on vulnerability exposure. |
| Release History Insights | View package release history and change logs. |
| Central CVE Database | Access a centralized repository of CVEs and known vulnerabilities. |
Integrations
Supports popular integrations to streamline security workflows and enhance visibility across development and operations tools.
| Feature | Description |
|---|---|
| Source Code Integrations | Integrate with GitHub, GitLab, Bitbucket, Azure DevOps, and Gitea (cloud and on-prem) to continuously scan repositories for vulnerabilities, secrets, and code issues. |
| Cloud Integrations | Connect cloud accounts to inventory assets and detect misconfigurations and security risks across cloud services. |
| AWS Integration & Cloud Scanning | Integrate AWS accounts to automatically inventory cloud assets and continuously scan services for misconfigurations and security risks. |
| Notification Integrations | Integrate with Jira and Slack to receive alerts, create issues, and streamline vulnerability triage and collaboration workflows. |
| Docker Registry Integrations | Integrate container registries such as AWS ECR to scan Docker images for vulnerabilities and misconfigurations. |
Jira Automation
Triage the security issues by creating Jira tickets automatically based on predefined templates and workflows. Either create tickets manually or enable workflows to create tickets automatically for new issues identified based on repositories, issue types, or severity levels.
| Feature | Description |
|---|---|
| Jira Automation | Automate Jira ticket creation using templates and workflows to ensure consistent issue tracking, reduce manual effort, and streamline security remediation. |
| Flexible Configuration | Customize Jira ticket fields, priorities, and assignees based on issue severity and type. |
| Customization | Tailor Jira ticket templates to align with organizational processes and requirements. |
Audit & Compliance
Provides tools and features to help organizations maintain compliance with security policies and standards, and to audit security configurations and changes. Continuously monitor and track security posture across repositories and cloud environments. Allows the security teams to identify gaps and enforce best practices. Do not let the developers to bypass the security checks.
| Feature | Description |
|---|---|
| Issue Progress Tracking | Track monthly trends of opened and resolved security issues. |
| Version Control Guardrails | Detect misconfigurations in version control systems and suggest remediations. |
| Organization & Repo Auditing | Audit repository and organization-level configuration changes. |
| Application Tagging | Classify repositories and services into logical applications. |
| SDLC Security Posture | Provides a stage-wise security posture view across feature development, release cycles, and production to prioritize risks and improve remediation efficiency. |
Developer Productivity
Improve developer productivity by integrating security scans into their existing workflows and providing timely feedback on security issues.
| Feature | Description |
|---|---|
| Pre-commit Support | Developers can run the pre-commit security scans locally before committing code to catch issues early. |
| Real-Time Developer Notifications | The notifications are sent to the developers immediately finding new issues in the commits |
Reports
Enhance security awareness and response by delivering timely notifications and comprehensive reports to relevant stakeholders.
| Feature | Description |
|---|---|
| Vulnerability Alerts | Send email notifications when vulnerabilities or secrets are detected. |
| Scheduled Security Reports | Generate periodic security and compliance reports. |
| Escalation Notifications | Escalate critical issues to security teams and project managers. |
| Summary Report | Generate an executive summary of SDLC security posture and overall risk status. |
| Global SBOM | Export a centralized inventory of all software libraries and dependencies across the organization. |
| Global Issues Report | View and export all security issues identified across the entire organization. |
| Commit Report | Generate findings and SBOM reports for individual commits. |
| Integration Report | Export an overview of configured integrations and their security status. |
| Repository Report | Generate branch-level security issue reports for individual repositories. |
CSPM (Cloud Security Posture Management)
Secure cloud environments by continuously monitoring cloud assets, detecting misconfigurations, and enforcing security best practices.
Currently supports AWS
| Feature | Description |
|---|---|
| Cloud Asset Inventory | Maintain an inventory of all assets across cloud providers. |
| Cloud Guardrails & Remediation | Detect and remediate misconfigurations in cloud services. |
| Custom Cloud Rules | Define custom rules to identify organization-specific misconfigurations. |
Pipeline Security
Audit and enforce security policies in CI/CD pipelines to prevent insecure code from being promoted to production. Identify risky pull requests, missing approvals, and enforce policies in workflows. Lets you control the overriding security checks by the developers.
| Feature | Description |
|---|---|
| Pull Request Scans | Scan pull requests in real time, show findings and remediation inline, and prevent insecure code from being merged through cloud integrations. |
| Pull Request Monitoring | Provide a centralized view of all pull requests with security status, risk details, approvals, scan progress, and merge outcomes to ensure secure code promotion. |
| Missing Approval Detection | Identify pull requests merged without required code reviews. |
| Policy Enforcement | Enforce workflow and environment transition policies in CI/CD pipelines. |
Infrastructure as Code
Create Infrastructure as Code (IaC) securely by detecting vulnerabilities and misconfigurations in IaC templates before deployment. Our IaC security scanning currently supports Terraform and CloudFormation.
| Feature | Description |
|---|---|
| Terraform Security Scanning | Detect vulnerabilities and misconfigurations in Terraform templates. |
| CloudFormation Security Scanning | Scan CloudFormation templates for security risks. |
Roadmap
Flyingduck is continuously evolving with new features and enhancements. Stay tuned for upcoming features to further strengthen your security posture.
Deprecated Packages Detection
Identify and manage deprecated or end-of-life open-source packages to reduce security risks associated with unmaintained software components.
External SBOM Import
Import SBOMs generated from external tools to consolidate and manage software bill of materials across the organization.
License Compliance
Identify and manage open-source license compliance risks by analyzing package licenses and usage.
Application Views
Provide a unified view of application risk across code, cloud, and runtime for better risk management.
Looking for a custom feature? Talk to us!