Documentation
CyBox Security documentation β learn how to get started, connect your assets, and run scans to secure your code, dependencies, and apps.
Welcome to the documentation of CyBox Security.
This guide will help you set up your account, connect repositories or websites, and start scanning with our security tools.
1.1 Getting Started β Overview
CyBox is a unified security platform that scans your:
- Source code for insecure patterns (SAST)
- Dependencies for known vulnerabilities (SCA)
- Secrets such as API keys and tokens
- APIs for OWASP API Top 10 risks (BOLA, missing auth, shadow endpoints, rate limiting, CORS)
- Infrastructure-as-Code for misconfigurations (IaC)
- Live apps for exploitable flaws (DAST)
You can connect either:
- A GitHub repository (public or private), or
- A website URL for runtime scanning
All findings are presented in a single dashboard, prioritized by severity, with actionable recommendations.
1.2 Connecting a Repository
- Go to Assets in your CyBox dashboard
- Click Connect GitHub
- Authorize access to your repository
- Select the repos you want to scan
- CyBox will automatically clone, analyze, and show results
π Note: Currently GitHub is fully supported. GitLab and Bitbucket are on the roadmap.
1.3 Scanning a Website
- Go to Assets
- Click Add Website
- Enter your target URL (e.g.
https://example.com) - CyBox will run a dynamic analysis to detect runtime vulnerabilities
1.4 Viewing Results
After a scan completes, results are shown in the Results dashboard:
- Issues grouped by severity (Critical, High, Medium, Low)
- Each finding includes description, file/line (if applicable), and recommended fix
- Some findings support auto-fix with one click
1.5 Supported Scanners
- SAST β Semgrep
- SCA β Trivy + OSV-Scanner
- Secrets β Gitleaks
- API Security β Endpoint discovery (OpenAPI + code), OWASP API Top 10 checks, optional dynamic testing (GET/HEAD)
- License β license-checker, pip-licenses, go-licenses
- Malware & Package Audit β npm audit and equivalents
- IaC Security β tfsec, Checkov, Terrascan, KICS
- DAST β Browserless-powered runtime scans
1.6 Compliance Evidence Report
CyBox can generate audit-ready compliance evidence from your scan results so you can demonstrate security posture to auditors or compliance tools.
- Go to Reports β Compliance Evidence in your CyBox dashboard
- Choose a date range for the evidence period
- Review the headline numbers (findings by severity, assets in scope)
- Download the report as PDF or JSON
The report includes deduplicated findings per asset, maximum severity, and is scoped to your organization. Use it for internal audits or to feed evidence into compliance platforms (e.g. Drata).
1.7 Drata Integration
You can push CyBox compliance evidence directly to Drata so it appears as external evidence on your Drata controls.
Connect Drata
- Go to Integrations in your CyBox dashboard
- In the Compliance section, find Drata and click Connect
- Enter your Drata API key and Workspace ID
- CyBox validates the connection and saves the configuration (your API key is stored encrypted)
Push evidence
- Go to Reports β Compliance Evidence
- Set the date range and generate the report
- Click Push to Drata (or use the push action from the report page)
- CyBox builds the evidence PDF, ensures a CyBox control exists in Drata (creating it if needed), and uploads the file as external evidence
Disconnect
- In Integrations β Compliance β Drata, click Disconnect to remove the connection. Your API key is deleted from CyBox; no evidence is removed from Drata.
π Limits: Push is rate-limited (e.g. 8 pushes per minute per organization). PDFs larger than 20MB are rejected. If Drata is not connected, the push action returns an error asking you to connect first.
Work in Progress
Weβre still expanding the documentation. Upcoming sections will include:
- Detailed guides for each scanner
- CI/CD integration
- Security trends and analytics
- Vanta integration (compliance evidence)
This page is not yet complete β check back soon for more.