Home Technical Support Understanding Security Scanning Tools: SCA, InSpec, SSH, and DefectDojo

Understanding Security Scanning Tools: SCA, InSpec, SSH, and DefectDojo

Last updated on Jan 06, 2026

Understanding Security Scanning Tools: SCA, InSpec, SSH, and DefectDojo

Security scanning is a core pillar of any DevSecOps pipeline. Whether you are tracking vulnerable libraries, validating compliance controls, or consolidating findings, the right tools make the difference between a noisy pipeline and a trustworthy release. This article demystifies four commonly‑used components—Software Component Analysis (SCA) tools, InSpec, SSH, and DefectDojo—and shows how they fit together in a practical lab environment.

1. Software Component Analysis (SCA) – Choose the Tool That Fits Your Goal

1.1 What is SCA?

SCA examines the open‑source packages that make up your application (e.g., npm, pip, Maven) and maps them to known vulnerability databases. The output is a list of vulnerable components, license conflicts, and suggested upgrades.

1.2 You Can Use Any SCA Tool

The exam or lab typically states “implement an SCA tool.” It does not lock you into a specific product.

Popular SCA tools Typical use‑case Key features
Retire.js JavaScript front‑end libraries Quick CLI, built‑in vulnerability DB
Safety Python packages (pip) CVE‑based reporting, integrates with GitHub Actions
OWASP Dependency‑Check Java, .NET, Ruby, Python Supports multiple ecosystems, Maven/Gradle plugins
Snyk Multi‑language, CI/CD integration Real‑time monitoring, auto‑fix PRs

Bottom line: As long as the tool performs a full SCA scan and you can export the results (JSON, CSV, etc.), you will receive full credit. Pick the one you are most comfortable with, configure it correctly, and document the output.

2. InSpec – Auditing Infrastructure via SSH

2.1 How InSpec Works

InSpec is an open‑source compliance‑as‑code framework. It runs profiles (collections of controls) against a target system and returns pass/fail results.

  1. Package the profile in a Docker image or install InSpec on your workstation.

  2. Provide the target address (IP or hostname).

  3. Authenticate using an SSH private key.

  4. InSpec opens an SSH session, executes the required commands, and streams the results back.

2.2 Containerized vs. Native Execution

Running InSpec inside a container is equivalent to a native installation:

  • The container includes the InSpec binary and any required gems.

  • When you launch the container, you mount your SSH key (or specify its path) and pass the target host.

  • InSpec uses the key at ~/.ssh/id_rsa by default. If your key lives elsewhere, add -i /path/to/key to the command line.

Example command (Docker):

docker run --rm -v $HOME/.ssh:/root/.ssh \
  -e TARGET=10.0.2.15 \
  my‑inspec‑image \
  inspec exec my-profile -t ssh://root@${TARGET} -i /root/.ssh/custom_key

2.3 Why SSH Is Required

InSpec does not need a special agent on the target host. It leverages the ubiquitous SSH protocol to:

  • Run commands with the privileges of the supplied user.

  • Avoid opening additional ports or installing agents.

Therefore, any machine that accepts SSH connections (Linux, macOS, Windows with OpenSSH) can be scanned.

3. DefectDojo – Centralizing Findings from Multiple Scanners

3.1 What Is DefectDojo?

DefectDojo is an open‑source vulnerability management platform built with Django (a Python web framework). It aggregates, normalizes, and tracks findings from many security scanners.

3.2 “OS and App Support” Explained

  • Django‑based: The fact that DefectDojo is written in Django only means the application itself runs on a Python/Django stack. It does not restrict the types of applications you can assess.

  • Parser ecosystem: DefectDojo ships with dozens of parsers (JSON, XML, CSV) for tools such as Retire.js, Safety, Trivy, Nessus, and many more. When you upload a scan report, the appropriate parser translates the raw data into a unified format that DefectDojo can display and track.

3.3 Typical Workflow

  1. Run an SCA scan (e.g., Safety) → export JSON.

  2. Run an InSpec compliance scan → export JUnit XML.

  3. Upload both files to DefectDojo via the UI or API.

  4. DefectDojo normalizes the findings, tags them by severity, and lets you assign remediation owners.

  5. Generate reports for auditors, management, or CI pipelines.

4. Practical Lab Scenario

Goal: Scan a Python web app for vulnerable dependencies, validate SSH‑based hardening controls, and store all results in DefectDojo.

  1. SCA with Safety

    safety check --full-report -r requirements.txt -o safety-report.json

  2. InSpec compliance profile (stored in ssh-hardening-profile)

    inspec exec ssh-hardening-profile -t ssh://ubuntu@10.0.1.20 -i ~/.ssh/lab_key

  3. Upload to DefectDojo (using the REST API)

    curl -X POST "https://dojo.example.com/api/v2/import-scan/" \
     -H "Authorization: Token <API_TOKEN>" \
     -F "file=@safety-report.json" -F "scan_type=Safety" \
     -F "engagement=42" -F "product=7"

    Repeat for the InSpec XML output.

The lab is complete when DefectDojo shows both sets of findings, each linked to the same engagement.

5. Common Questions

Question Answer
Can I mix different SCA tools in one engagement? Yes. Upload each report separately; DefectDojo will treat them as distinct scans but you can view them together.
Do I need a separate SSH key for InSpec and Ansible? No. Any key that grants the required privileges on the target host works for both tools.
What if my private key is not in ~/.ssh? Use the -i /path/to/key flag (or mount the key into the container) to tell InSpec where to find it.
Is DefectDojo limited to Django projects? No. It can store findings from any language, framework, or platform as long as the scanner’s output is supported.
How do I know which parser to use in DefectDojo? The UI lists supported scan types (e.g., “Safety”, “InSpec”). Choose the matching type when importing.

6. Tips for Success

  • Standardize output formats: Export scans as JSON or XML; these are the most reliably parsed by DefectDojo.

  • Version‑lock your tools: Record the exact tool versions (e.g., Safety 2.3.1) to ensure reproducible results.

  • Secure your SSH keys: Use passphrase‑protected keys and a dedicated, low‑privilege user for scanning.

  • Automate uploads: Incorporate the DefectDojo API into your CI pipeline to keep findings up‑to‑date without manual steps.

  • Leverage built‑in profiles: InSpec ships with many ready‑made compliance profiles (CIS, PCI‑DSS). Start with those to avoid writing controls from scratch.

By understanding the flexibility of SCA tools, the SSH‑driven nature of InSpec, and the centralizing power of DefectDojo, you can build a robust, language‑agnostic security testing workflow that satisfies both exam requirements and real‑world DevSecOps best practices. Happy scanning!