How It Works

XCA’s “secret sauce” are custom rules, based on insecure code patterns identified through vulnerabilities discovered by CSG’s security testing and vulnerability disclosures. XCA custom rules are not available in default rulesets by other code scanning solutions.

XCA comprises the following components:

• XCA Rules: Custom rules written by CSG cybersecurity specialists as well as developers across government agencies.
• XCA Code Scanning: A seamless integration with your development workflows. When you push code to your GitLab project, XCA automatically scans and updates your project’s vulnerability report, if any. Find out how XCA works below.

Under the hood, Semgrep powers XCA, the same code-scanning engine used by GitLab SAST, but with custom rules. The XCA pipeline pulls an image pre-loaded with XCA Rules and invokes Semgrep: the scan output is formatted in GitLab’s SAST report schema which is seamlessly shown in GitLab’s built-in Vulnerability Report and Merge Request widgets.

XCA has been added as a security integration in SHIP-HATS 2.0 GitLab in Feb 2023. New XCA rules are developed and incorporated into XCA as new security vulnerabilities, and vulnerable code patterns are identified.

The workflow of XCA is illustrated in the following diagram:

1. WOG-level Group Webhook: A GitLab webhook detects Push events at the WOG group level.
2. AWS API Gateway: The webhook sends the event data to AWS API Gateway.
3. AWS Lambda: AWS API Gateway invokes an AWS Lambda function, which triggers a dedicated scan pipeline for Push events to the default branch. This pipeline runs outside of your project’s pipeline.
4. Vulnerability Reporting: Upon completion of the scan, results are populated in your project’s vulnerability report via GitLab GraphQL APIs (if any).