Discover, assess and mitigate known vulnerabilities
Steady supports software development organizations in regards to the secure use of open-source components during application development.
As such, Steady addresses the OWASP Top 10 security risk A9, Using Components with Known Vulnerabilities, which is often the root cause of data breaches.
Steady analyzes Java and Python applications in order to:
- detect whether they depend on open-source components with known vulnerabilities,
- collect evidence regarding the execution of vulnerable code in a given application context (through the combination of static and dynamic analysis techniques), and
- support developers in the mitigation of such dependencies.
In comparison to other tools, the detection is code-centric and usage-based, which allows for more accurate detection and assessment than tools relying on meta-data.
Running Steady in your organization requires the operation of several Docker containers that serve as a backend for client-side scanners, e.g., plugins for Maven and Gradle The latter are commonly invoked at development or build time, e.g., on developer workstations or in CI/CD pipelines.
Important: The initial contribution is currently subject to license compliance checks, the existing GitHub repository will soon be moved to Eclipse's GitHub organization.