Skip to main content

Inspector

Kusari Inspector provides a comprehensive security analysis of changes and repository health. It is available as a command line tool, GitLab template, GitHub App, and GitHub Action.

GitHub application showing a bad pull request with mitigations

How it works

For code and dependency changes, Kusari Inspector runs a suite of industry-standard tools over changed files. It then takes those results and does a deep analysis with code context to return a go/no-go recommendation. Regardless of the recommendation, Kusari Inspector provides actionable remediation and improvement suggestions, including comments on specific lines where appropriate.

Kusari Inspector integrates with the Kusari Platform to consolidate project and repository insights while linking source code commits to runtime events.

Supported languages

  • Golang (Go) - go.mod, go.sum
  • Node.js (NPM) - package-lock.json, yarn.lock
  • Python (PyPI) - requirements.txt, poetry.lock, pipfile.lock, uv.lock
  • Java (Maven) - pom.xml, gradle.lockfile, buildscript-gradle.lockfile
  • .NET (NuGet) - .csproj, .vbproj, .fsproj
  • Ruby (RubyGems) - gemfile.lock
  • Rust (Cargo) - cargo.lock
  • HashiCorp Configuration Language (HCL)

Checks

Kusari Inspector checks for:

  • Credentials and other secrets
  • Typosquatted dependency names
  • Common code weaknesses via static analysis
  • Direct and transitive dependencies
  • Dependencies’ repository security posture
  • Software licenses
    • Categorized into strong copyleft, weak copyleft, network copyleft and permissive
  • Known vulnerabilities, including severity (CVSS), likelihood of exploit (EPSS), and known exploited vulnerabilities
  • GitHub workflow security issues
  • DockerFile security issues
  • Terraform security issues
  • Helm Chart security issues

Blocked Packages

note

Blocked Packages is only available to Kusari Platform customers.

The Inspector can check pull requests for the presence of packages that your organization has blocked. When a blocked package is detected in a PR, Inspector will flag it and recommend not proceeding.

Inspector PR comment showing a blocked package flagged as BLOCKED

To set up and manage your blocked packages list, see the Blocked Packages guide.

Security and Privacy

We do not store your code in any form. Code is analyzed by industry-standard security tools running in Kusari’s cloud infrastructure. The output of those tools, as well as a subset of the code, is sent to the AI model for analysis. Once analysis is completed, all input is deleted. The AI model is not trained on customer code or analysis results. All analysis is done in memory and data is encrypted at rest and in transit. Kusari is SOC2 Type II compliant.