OWASP A06 · Vulnerable and outdated components

Prove what is in your software. From build to production.

WASViking® covers the software supply chain in four coordinated layers: passive component detection from the outside, premise-side SBOM generation, a CI/CD gate that fails the build before the merge, and a signed Evidence Bundle your auditor and customers accept.

Start free trial See compliance coverage
CycloneDX 1.5 OSV.dev CISA KEV npm · yarn · pnpm PyPI · Pipfile Go · Composer · Maven · Gem
Software Supply Chain
Outcome for the buyer One question answered in one query: where is log4j 2.x running in any of my services.
The four layers

One coordinated supply chain story, not four point tools.

Most platforms ship one of these layers and resell the others. WASViking ships them together, with a single inventory, a single rule for known-exploited components, and one Evidence Bundle that ties the chain back to your auditor.

N1 · Cloud-side detection

ComponentDetectionScanner fingerprints components from the outside, using path regex, sha1, a Wappalyzer subset, meta-generator, headers, cookies, and CMS well-knowns. Enriched with OSV.dev and CISA KEV.

N2 · Premise-side SBOM

wasviking-sentinel sbom walks build manifests for npm, yarn, pnpm, PyPI, Pipfile, Go, Composer, Maven, and Gem. CycloneDX 1.5 output, OSV and KEV enrichment, REST submission to your tenant.

N3 · CI/CD SCA gate

wasviking-sentinel ci --sca runs the SBOM, OSV, and KEV pass at build time. Deterministic exit codes: 70 KEV-flagged, 71 non-KEV finding, 72 ok. The pipeline fails before the merge, not after the breach.

Signed Evidence Bundle

Per-submission signed package: consolidated CycloneDX, cover PDF with brand, drift, findings, audit, and compliance CSVs, plus verification.txt. Token + password share, revocable and reissuable.

CI/CD SCA gate · how it looks

Stop the build before a KEV-listed component reaches main.

Drop one command in your pipeline. Configurable severity thresholds, baseline mode for legacy repos, and exit codes your CI runner already understands.

  • Build-time SBOM, OSV match, and CISA KEV check in a single pass
  • Exit 70 KEV-flagged · 71 non-KEV finding · 72 ok
  • Baseline mode for legacy projects, so noise drops to net new
  • Same Go binary as wasviking-sentinel sbom, no extra agent to deploy
  • Authenticated to your tenant via ApiKey wv_live_*
# Inside .github/workflows/ci.yml or any pipeline
$ wasviking-sentinel ci --sca --fail-on kev
[sentinel] CycloneDX SBOM generated for 1,284 components
[sentinel] OSV match ........... 7 advisories
[sentinel] CISA KEV cross-ref .. 1 KEV-listed
[sentinel] Risk score amplification: +18 points

FAIL [email protected] CVE-2021-44228 KEV critical
WARN [email protected] CVE-2021-3749 high
OK 1,275 components clean

Evidence submitted to https://api.wasviking.com/v1/sentinel/sbom/submit
exit 70
Continuous Supply Chain Watch

Yesterday's SBOM is tomorrow's exposure.

WASViking ingests OSV and CISA KEV daily, then retroactively matches every live SBOM in your tenant. New exposures are promoted to Findings automatically and routed to Slack, Teams, webhook, or email. We re-notify only on KEV bump, severity bump, or fix availability, so the alert channel stays signal.

  • Daily OSV + CISA KEV ingest
  • Retroactive match against every active SBOM in the org
  • Auto-promotion to Findings with stable fingerprint
  • Smart re-notify rule, not "everything that changed"
  • Manual IOC ingestion for staff and tenants, with target-scoped fingerprinting
Inventory view

Component search across every SBOM

Inverted index over your CycloneDX submissions. Answer "which services run log4j 2.x" in one query, with last-seen timestamp per host.

GET /api/v1/sentinel/components/search?name=log4j-core&version=2.14.1

{
  "matches": 3,
  "hosts": [
    "checkout-api.prod",
    "billing-worker.stg",
    "legacy-portal.dr"
  ],
  "kev": true,
  "first_seen": "2026-04-18T11:02Z"
}
Evidence Bundle

The one artifact your auditor and customer both accept.

Replace the ad-hoc PDF dump with a signed package built directly from your tenant data. Issue, reissue, revoke. Share with a token + password split, with bilateral audit log on every access.

What is inside

Per-submission CycloneDX, a consolidated org-wide CycloneDX, a brand cover PDF, plus drift, findings, audit, and compliance CSVs. verification.txt documents the chain.

How it is shared

Token + password split, time-limited, revocable. Public REST scope sca:read. Webhook events on access for the issuing org.

Where it lives

S3 with validated IAM scoping. Operator can reissue with a one-click flow. Posture Shares use the same security model for posture proof.

Secrets, the parallel A07 story

Find secrets where they hide. Without sending them anywhere.

wasviking-sentinel secrets walks your filesystem, and optionally git history, with 32 detectors and 10 live verifiers. Raw secrets never leave the agent. Only a SHA-256 hash and a masked preview reach WASViking.

32 detectors

AWS, GitHub, private keys, database credentials, Stripe, SendGrid, Slack, PagerDuty, and more. AI classifier suppresses test, doc, and placeholder matches.

10 live verifiers

Optional verification against the legitimate provider endpoint. Distinguishes a real, live credential from a regex coincidence.

CI integration

Exit codes 73 verified-live, 74 unverified, 72 ok. Pipelines decide strict-fail or warn. Preflight against an active org API key, with 30-minute cache and 24-hour grace.

See WASViking® on your own stack.

Start a 14-day trial or talk to our team about an enterprise evaluation. No credit card required for the trial.

Start free trial Talk to sales