Application Security Posture Management
Runtime security, SAST/DAST integration, risk prioritization
View the interactive project page →
Application Security Posture Management
Part of the worlds-biggest-software-project initiative.
An AI-native platform that consolidates findings from every AppSec scanner into a single, prioritised risk view -- so security teams fix what actually matters instead of drowning in duplicate alerts.
Most mid-to-large engineering organisations run five or more application security scanners -- SAST, DAST, SCA, container scanning, IaC checks -- each producing its own alert queue. Application Security Posture Management (ASPM) sits on top of these tools, normalises their output into a common schema, deduplicates findings, and surfaces the subset of vulnerabilities that pose genuine business risk. This project aims to deliver an open-source ASPM aggregation and prioritisation layer that any team can self-host without vendor lock-in.
Why Application Security Posture Management?
- Tool sprawl creates noise, not insight. Security teams spend more time triaging duplicate alerts across five dashboards than they do remediating real vulnerabilities. Every incumbent aggregates findings, but most require weeks of onboarding and connector configuration before delivering value.
- Reachability analysis is gated behind enterprise pricing. The single most impactful feature for reducing false positives -- confirming whether a flagged vulnerability is actually reachable from an internet-facing entry point -- is locked behind premium tiers at vendors like Cycode, Apiiro, and CrowdStrike.
- Developer experience is an afterthought. Security teams buy ASPM, but developers are the daily users. Most platforms route remediation through a separate security portal rather than surfacing actionable guidance inline in pull requests and CI/CD workflows.
- Mid-market teams are underserved. Enterprise platforms like Apiiro and ArmorCode target large security programmes with pricing to match. Aikido Security addresses SMBs but with limited supply chain and runtime coverage. There is no open-source option combining reachability analysis with a polished developer UX at accessible cost.
- Vendor lock-in undermines the aggregation premise. An ASPM tool that is itself proprietary and closed-source creates the same dependency problem it claims to solve. An open-source aggregation layer lets teams own their risk data.
Key Features
Unified Finding Aggregation
- Scanner connector library ingesting findings from Snyk, Semgrep, Trivy, OWASP ZAP, Checkmarx, Veracode, and Wiz via standard output formats
- Finding normalisation and deduplication across heterogeneous scanner outputs into a common risk schema
- Risk prioritisation combining CVSS severity with asset criticality and public exposure context
- SBOM generation and export for regulatory compliance and customer due diligence
Developer Workflow Integration
- CI/CD pipeline integration blocking deployments on policy-violating findings (GitHub Actions and GitLab CI at minimum)
- Developer-facing PR annotations surfacing findings inline with actionable remediation steps
- Jira, ServiceNow, and Linear integration for remediation ticket creation with finding context pre-populated
- Weekly digest notifications summarising new findings and closed issues
Risk Prioritisation and Policy Enforcement
- Reachability analysis confirming which vulnerabilities are accessible from internet-facing entry points to reduce false-positive noise
- Policy engine for defining and auto-enforcing security gates per environment and code scope
- Compliance framework mapping to SOC 2, PCI-DSS, ISO 27001, and NIST
- SLA tracking with dashboards for open high-severity finding age and time-to-remediation
Supply Chain and Context Mapping
- Software supply chain provenance mapping tracing vulnerable dependencies through the full build pipeline
- Code-to-cloud context graph linking findings to affected business assets and data flows
- Pre-commit risk detection flagging high-risk code changes before they enter the main branch
AI-Augmented Security
- AI-generated fix code patches for common vulnerability classes surfaced directly in pull requests
- Risk narrative generation providing plain-language explanations of why a finding is high-priority
- Anomalous code change detection flagging commits that deviate from historical patterns for security review
- Attack path simulation modelling how a confirmed vulnerability could be exploited across the application graph
AI-Native Advantage
An AI-native ASPM platform goes beyond static rule matching. Automated fix generation produces code patches for common vulnerability classes and surfaces them directly in the PR workflow, cutting remediation time from hours to minutes. Risk narrative generation translates cryptic scanner output into plain-language context that developers can act on without security team involvement. Anomalous code change detection uses ML to flag commits that touch authentication, cryptography, or PII-handling code in patterns that deviate from the repository's history -- catching risky changes that no individual scanner would flag. Attack path simulation models how a confirmed vulnerability could be chained with other weaknesses across the application graph, letting teams prioritise based on actual exploit potential rather than isolated CVSS scores.
Tech Stack & Deployment
The platform is designed to be self-hosted, removing the vendor lock-in inherent in every current commercial ASPM solution. The scanning backbone builds on established open-source tools: Semgrep (LGPL) for SAST, OWASP ZAP (Apache 2.0) for DAST, and Trivy (Apache 2.0) for container and dependency scanning. Integration with commercial scanners (Snyk, Checkmarx, Veracode, Wiz) is via their standard API and output format connectors. Runtime reachability data can be collected via eBPF probes for low-overhead system-call telemetry from running workloads. CI/CD integration targets GitHub Actions and GitLab CI as first-class citizens, with SCM support for GitHub, GitLab, Bitbucket, and Azure DevOps.
Market Context
The ASPM market was valued at approximately $457 million in 2024 and is forecast to grow at roughly 30% CAGR through 2029 (Frost & Sullivan). Gartner projects that by 2027, 80% of organisations in regulated verticals will incorporate some form of ASPM. Incumbent pricing is enterprise-focused: Apiiro and ArmorCode target large security programmes, while even mid-market options like Aikido Security are proprietary SaaS. The primary buyers are application security teams and engineering leadership in organisations running multiple scanners who need a single pane of glass for risk management.
Project Status
This project is in the research and specification phase.
Contributions, feedback, and domain expertise are welcome.
Contributing
We welcome contributions from developers, domain experts, and potential users. See CONTRIBUTING.md for guidelines.
Important: All contributions must be your own original work or clearly attributed open-source material with a compatible licence. Copyright infringement and licence violations will not be tolerated and will result in immediate removal of the offending contribution. If you are unsure whether a piece of code, text, or other material is safe to contribute, open an issue and ask before submitting.
Licence
Licence to be determined. See discussion for context.