Features

Vulnerability Management

Feature	Supported
Flexible data model with products, product groups and services
Observations with a wide range of information
Multiple branches and versions per product
Automatic resolution of fixed vulnerabilities
Identification and management of duplicates
Manual assessment of severity and status
Rule based assessment of severity and status
Security gates
Actual and weekly metrics
Configurable expiry for accepted risks

License Management

Feature	Supported
Import of components with license information from CycloneDX and SPDX SBOMs
Flexible license policies to evaluate the impact of different license conditions
Organize licenses with similar conditions in license groups

Integrations

Feature	Supported
Import from many SAST, SCA, DAST, infrastructure and secrets scanners
GitLab CI integration of scanners with predefined templates GitHub integration of scanners with predefined actions
Data enrichment from Exploit Prediction Scoring System (EPSS)
Data enrichment with exploit information
Always up-to-date SPDX licenses
License groups generated from ScanCode LicenseDB data
Direct link to source code
Export vulnerabilities to issue trackers (Jira, GitLab, GitHub)
Import/export vulnerabilities from/to VEX documents (CSAF, OpenVEX)
Vulnerability scanning from OSV database
Export of data to Microsoft Excel and CSV
Export metrics to CodeCharta
Notifications to Microsoft Teams, Slack and email
Links to additional information about vulnerabilities and components
REST API

Access Control

Feature	Supported
Built-in user management
OpenID Connect integration
Internal, external and admin users
Authorization groups
Role-based access control

Installation and Upgrading

Feature	Supported
Installation with Docker Compose
Supported databases: PostgreSQL and MySQL
Flexible configuration
Automatic database migration during upgrades