Static analysis
Garth runs SAST (Static Application Security Testing) rules against your source code to find common vulnerability patterns.Injection flaws
Injection flaws
Detects SQL injection, command injection, LDAP injection, and similar
patterns where user input reaches sensitive APIs without sanitization.
Broken authentication
Broken authentication
Flags weak session management, insecure password storage, and missing
authentication on sensitive endpoints.
Sensitive data exposure
Sensitive data exposure
Identifies unencrypted storage of sensitive data, weak cryptographic
algorithms, and missing TLS enforcement.
Insecure deserialization
Insecure deserialization
Detects unsafe deserialization of untrusted data that could lead to remote
code execution.
Security misconfigurations
Security misconfigurations
Catches overly permissive CORS settings, disabled security headers, and
default credentials.
Infrastructure-as-Code (IaC)
Garth scans infrastructure definition files for misconfigurations and security policy violations — catching cloud and container issues before they reach production.Supported file types
Supported file types
Garth analyses the following IaC formats:
- Terraform —
.tffiles - AWS CloudFormation —
template.yaml,template.json - Kubernetes — deployment, service, and ingress manifests (
.yaml) - Dockerfile —
Dockerfileand*.dockerfile - Docker Compose —
docker-compose.yml
Misconfiguration detection
Misconfiguration detection
Flags infrastructure settings that introduce security risk, such as:
- Storage buckets or databases with public access enabled
- Missing encryption at rest or in transit
- Overly permissive IAM roles or security group rules
- Root account usage or missing MFA enforcement
- Containers running as root or with privileged access
Compliance checks
Compliance checks
Evaluates configurations against common security benchmarks including CIS
Foundations, NIST, SOC 2, and PCI DSS controls relevant to cloud infrastructure.
Secret detection
Garth scans every file in the repository for leaked credentials and secrets. Detected secrets are reported in the Garth dashboard with the file path, line number, and secret type. Common findings include API keys, tokens, passwords, private keys, and connection strings committed directly to the repository.Dependency scanning
Garth checks your lockfiles against the OSV database and GitHub Advisory Database.| Package manager | Lockfile |
|---|---|
| npm / Yarn | package-lock.json, yarn.lock |
| Python | requirements.txt, Pipfile.lock, poetry.lock |
| Java | pom.xml, build.gradle |
| .NET | packages.lock.json |
| Ruby | Gemfile.lock |