Cycode

I use Cycode  for SAST  scanning, Infrastructure as Code , and secret scanning, with a current proof of concept underway for containers.

Cycode scans all items when code is pushed into the Git  repository, including secrets in that repository or in pull requests. This allows visibility into whether any secret tokens, email IDs, or data that should not be present are included before production deployment. The recommendation is to use vaults to save token secrets for application use. If someone has not adhered to this practice or accidentally used a token during development and forgot to change it before production, Cycode helps catch these violations. In the event of a code leak or cyber attack where code is exploited by vulnerabilities, tokens and secret information are not lost and cannot be further used to elevate application privileges.

Cycode results are integrated into the homegrown ASPM solution called Scout by using its APIs. Cycode has a valuable feature called risk intelligence that informs when there is a leak regardless of its source and provides a list of affected repositories. This helps in taking action and preparing an action plan. It becomes easier to resolve issues when the exact repositories are identified, and if a package is found vulnerable, it is possible to check which applications are using it. Cycode provides that repository information, so affected repository owners can be contacted to resolve issues, thus protecting against attacks or allowing countermeasures to be taken against tokens.

Cycode has an extensive vulnerability list, great AI that helps obtain vulnerability resolution, and risk intelligence features. Additionally, Cycode has seamless integration with GitHub , which saves time in the pipeline. Other tools like Checkmarx require integration into the pipeline, which takes additional time. Cycode reduces pipeline time and saves development time. The developer community in the organization is happy with Cycode, specifically with the GitHub  integration feature.

Cycode's AI helps with vulnerability resolution because, while other tools have AI for resolving vulnerabilities, the key difference is that Cycode has access to GitHub and can actually read the code to give more appropriate answers. It analyzes the code instead of just small snippets like other tools do. While it does not work one hundred percent of the time, it works most of the time, helping developers fix code quickly and providing examples of how to mitigate risk. For instance, if there is an SQL injection vulnerability, Cycode suggests sanitizing it beforehand. If the developer has not done it already, Cycode will analyze it and recommend how to fix the code, providing specific lines of code or a snippet on how it should look.

Cycode has positively impacted the organization by saving time in the pipeline and providing one platform for secret scanning, SAST , and Infrastructure as Code  facilities. Cycode has a great ASPM solution feature that gives a dashboard and informs about vulnerabilities or risks in the application. Most notably, it has streamlined the experience for those waiting for pipeline results. After getting the result, developers see it in one tool and can simply go back to GitHub to view results without navigating through different tools. This saves considerable time, and when all information can be accessed in one application, it creates substantial value.

Many organizations use legacy applications with COBOL, and currently a different tool is used for COBOL applications due to compliance requirements. It would be beneficial if Cycode increased the languages they support. While they have significantly increased support and are trying to improve their engines, Cycode could enhance container-specific capabilities. Currently, Cycode does not have good container security, and while it is a full solution, companies desiring a single platform must seek additional tools to scan container images. On the code side, it is satisfactory, but it lacks detection for OS-level vulnerabilities on the container side, which is an area for improvement.

Cycode receives a rating of eight out of ten, with two points deducted because it does not provide the full platform value that Cycode aims to achieve as a complete platform for everything needed. Container functionality is particularly critical as development mainly revolves around containers, and security in that space is essential. It is not a new area, and it is believed that adding it would boost value and support customers.

Cycode has good access control and compliance, but in the organization, a different team handles anything related to AI governance. While Cycode appears to possess good access control features, it might not offer the most helpful insight concerning governance. However, Cycode has enough flexibility for everything and everyone involved.

Regarding AI capabilities, Cycode is approximately eighty to eighty-five percent effective. The remaining percentage reflects its limitations, as it does not fully comprehend GitHub code like a developer or human would. It would be beneficial if Cycode could enhance their AI by introducing an optional checkbox asking developers if suggestions were helpful or seeking data where developers feel the answers are inappropriate. This feedback mechanism could significantly improve AI capabilities.

I have used Cycode for about two years and integrates well into existing workflows without requiring an additional pipeline, making the transition seamless. During migration from Checkmarx to Cycode, this aspect helped tremendously because it was not necessary to create scripts or coordinate closely with each team; onboarding was straightforward. Cycode's great integration with GitHub gives it a significant advantage, especially as many industry tools strive for similar integration.

Cycode is stable.

Cycode's scalability has been excellent thus far with no scalability issues encountered in the organization, which consists of approximately four thousand projects, each containing a multitude of repositories.

Customer support has been excellent. While there has not been frequent direct interaction with customer support, from what has been heard during meetings, the rating would be nine out of ten.

Checkmarx was previously used as the solution. The reason for switching was convenience, as Cycode is more convenient due to its direct integration with GitHub, unlike the Checkmarx on-premises solution that was in place, which only provided SAST capability. For nearly the same pricing, although exact pricing cannot be confirmed, three services are now accessed with Cycode: SAST, Infrastructure as Code, and secret scanning.

An automated onboarding process is not currently in place, but a script or solution for developers organization-wide is being developed. Cycode has a pretty good onboarding page that is excellent. The significant advantage experienced with Cycode is that multiple services are leveraged; when a project or team is onboarded onto Cycode, it covers three services, highlighting that benefit. Beyond that, there is nothing remarkable that distinguishes it compared to other tools in the industry.

Cycode is utilized as a SaaS solution hosted on a private cloud.

The company does not have a business relationship with Cycode vendor aside from being a customer.

A proof of concept was conducted for multiple tools, including GitHub Actions , Checkmarx as the previous tool, and Cycode, along with considering additional tools.

In the organization, sub-organizations have a regulatory compliance requirement to perform a SAST scan or security scan before going into production. Cycode helps adhere to these requirements well; while Cycode did not support Rust previously, it has now included the Rust language. However, support for legacy applications is still lacking, which presents a challenge since Cycode's vendor team has mentioned they do not plan to address this issue. Although it posed a challenge when transitioning from Checkmarx to Cycode, the experience has been beneficial overall as it delivers exact data and allows developers to see which repositories contain vulnerabilities. It even provides options to archive repositories that are no longer in use or required.

Cycode allows marking something as a false positive, giving the power to manage security findings effectively. This access is restricted to only the team admin for that specific project, enabling them to mark items as false positives as needed.

Cycode is not being used as a medium to create tickets or anything of that nature in the organization.

Cycode provides an extensive dashboard that aids in prioritizing vulnerabilities and security issues that need addressing first, and it also features a customized risk score that can be utilized for prioritization.

For others looking into using Cycode, if they seek a tool with multiple services, excluding container services, Cycode is a solid option. It is a solid option for at least SAST and secret scanning, despite the non-use of SCA . Cycode offers excellent secret scanning capabilities, and there does not appear to be another solution at the same pricing level that provides an equally good secret scanning tool like Cycode does.

Overall, Cycode receives a rating of eight out of ten.

Cycode  is used for multiple types of scanning including secrets, SAST  scanning, and IAC misconfiguration scanning. Secret  scanning was one of the first services launched using Cycode  and is integrated into product teams' CI/CD pipelines for identifying hard-coded secrets within the code.

Cycode is used for infrastructure as code misconfiguration scanning and SAST  scanning to find code weaknesses. Both engines are solid with no complaints.

As a policy, hard-coding secrets is prohibited. Cycode helps identify pieces of code that might be out of compliance. When the organization pivoted to GitHub  Enterprise Cloud, this became a strong requirement for all product teams to comply with, and Cycode definitely assisted in that process.

Cycode is used for secret scanning, IAC misconfiguration scanning, and SAST. Other tools are used for software composition analysis and container image scanning.

Cycode excels in secret scanning and is brilliant at finding and identifying secrets within code. The GitHub  integration helps product teams run scans on their code during pull requests without requiring a task in their pipeline, allowing them to identify issues much earlier in the software development life cycle.

The GitHub integration allows scanning to be performed as early as possible. Whenever product teams raise a pull request or commit to a GitHub repository, the integration identifies issues even before the scan runs in the pipeline. Since scanning happens in the version control system in GitHub rather than in the pipeline, it keeps the load on the pipeline simple and reduces the overall pipeline load.

Measurable improvements and faster development are outcomes of using Cycode. Since it is integrated into GitHub as a GitHub app and performs PR scans, it makes the development process not just faster but more secure. It prohibits users from hard-coding secrets and pushes them to use secret vaults and managers, which is a much more secure method of handling credentials.

Cycode helps with visibility into application security posture by having arguably the best dashboards and reporting among all the other tools in use, with different kinds of remediation funnels and MTTR data available in Cycode's dashboard that helps with overall application security posture management.

Cycode helps prioritize vulnerabilities or findings with a custom risk score that can help prioritize findings. Even within secrets, it helps identify the severities associated with those secrets.

Cycode supports collaboration between development and security teams well. The integration with GitHub makes it quite seamless.

Regarding container scanning, Cycode can be improved as it does not have a CLI. As a DevSecOps  professional, having a CLI is a must-have for any tool to integrate it into systems. Although Cycode does have a CLI, specifically for the container scanning module, a CLI does not exist. This is why all the modules that Cycode offers cannot be fully leveraged.

A CLI for the container scanning module is believed to be on Cycode's roadmap, but it is not available today.

As a big enterprise dealing with many assets, Cycode being faster would be beneficial. With many assets on-boarded on Cycode, the tool sometimes becomes slow. Making Cycode faster would definitely help. Other than that, things are good.

Cycode has been in use for almost three years.

Cycode is stable and scales as needed.

The scalability of Cycode as the organization grows or adds more assets is managed well. At the scale at which the enterprise operates, which is quite large, Cycode scales as needed. Being a vendor SaaS tool on an elastic server, it scales effectively.

Cycode's customer support is good. Regular connects are maintained with the customer support team.

Secret  scanning was not available prior to Cycode. Cycode was the first solution for secret scanning and still is to this day.

Adoption and initial use of Cycode was fairly simple for the team. The GitHub integration made the process quite smooth as all assets in GitHub had to be bulk on-boarded to Cycode. Although the on-boarding and adoption were smooth and Cycode was scanning everything in GitHub, as a DevSecOps  team, assets had to be mapped individually in order to perform application security posture management (ASPM), which took a good amount of time and remains an ongoing challenge.

A return on investment has been seen with Cycode. Overall, the security of assets and preventing the exposure of secret data is where Cycode excels. No specific metrics can be shared beyond that.

Cycode is aggressively priced across the board with respect to other tools when it comes to pricing, setup cost, and licensing.

I was not part of the decision before choosing Cycode, so I am not aware of which options were evaluated. However, GitHub Advanced Security  was believed to have been considered.

Cycode excels mainly in secret scanning, and if CLI was available in other types of scans like container scanning, the overall experience would have been better. Cycode's governance and security are good, and the AI remediation abilities through integrations like Secure Code Warrior are beneficial.

The accuracy and reliability of Cycode's AI capabilities have not been fully tested. Others looking into using Cycode should move forward with it. It is a strong and robust tool for secret scanning.

Overall, I rate Cycode a 7.5 out of 10. The rating reflects limitations such as the lack of a CLI for container scanning and some concerns about forced secret scanning, balanced against Cycode's excellence in secret scanning capabilities.