# Data Sources Data Sources in OpsMx Delivery Shield defines the entry points from which security scanning is initiated — the **what** and **where** of every scan. Whether your team is scanning source code in a Git repository, a container image in a registry, a pre-existing SBOM file, or a mobile application artifact in JFrog Artifactory, Data Sources provides a unified, on-demand interface to trigger security analysis across all asset types from a single platform. ## Data Source Types Delivery Shield supports four primary Data Source types for Ad Hoc scanning: | Data Source | What Gets Scanned | Key Use Case | | ------------------------ | --------------------------------------- | ------------------------------------------------------------------------------------------------------ | | **Source Scan** | Git repositories and branches | Identify vulnerabilities and compliance risks in source code | | **Artifact Scan** | Container images and registry artifacts | Validate security of deployable units before release | | **SBOM Scan** | Uploaded SBOM files (CycloneDX) | Assess risk in third-party or pre-built software from its component inventory | | **Mobile Artifact Scan** | APK files in JFrog Artifactory | Comprehensive malware detection, mobile security analysis, and SBOM generation for mobile applications | ## Source Scan **What It Is** Source Scan is an on-demand security scanning capability for source code repositories hosted on platforms including GitHub, GitLab, Bitbucket, and others. It runs a configurable set of security tools — including Semgrep, Opengrep, and SonarQube — against selected repositories and branches to identify vulnerabilities, code quality issues, and compliance risks. During project setup, users can link their source control account, enabling the system to automatically execute all eligible scans on selected repositories and branches. Once completed, the system generates detailed reports highlighting vulnerabilities, security risks, and compliance insights — and raises alerts based on findings with an overall risk status per repository or branch. > Source Scan brings multiple security scanners together under one roof — so teams get a complete security picture of their code without configuring and running tools individually. ## **Why Source Scan Is Used in OpsMx** Modern development workflows involve multiple repositories and rapid code changes — making it difficult to consistently enforce security and compliance checks across every branch and every team. Source Scan addresses this by: * Providing a **unified interface** to run multiple security scanners in one place — no tool-hopping * Offering **quick visibility** into vulnerabilities and overall risk posture per repository and branch * **Reducing manual effort** required to configure and run individual scanning tools * Ensuring **better governance and compliance** across all repositories regardless of team ownership * **Automatically re-scanning** repositories when new commits are detected — keeping results always current * Enabling teams to **proactively identify and remediate** security issues before deployment ### **Supported Scanners** | Scanner | Type | What It Detects | | ------------- | -------------- | --------------------------------------------------------------------- | | **Semgrep** | SAST | Code-level vulnerabilities, insecure patterns, security anti-patterns | | **Opengrep** | SAST | Community-driven static analysis rules across multiple languages | | **SonarQube** | SAST + Quality | Code quality issues, security hotspots, technical debt, compliance | ### **How to Use — Source Scan** **For Public Repositories:** Users can directly initiate a scan without any integration. Provide the repository details and the system executes the scans immediately. **For Private Repositories:** Users need to integrate their GitHub or Bitbucket account. Once connected, they can select repositories and branches and trigger scans. **Workflow:** ``` Step 1 — Create or configure a project in Delivery Shield Step 2 — Link SCM account (GitHub / GitLab / Bitbucket) if scanning private repos Step 3 — Select the target repository and branch Step 4 — Trigger the scan Step 5 — Review generated reports and alerts Step 6 — Download reports for further analysis or compliance submission ``` **Supported Platforms:** | Platform | Public Repos | Private Repos | | --------------- | -------------------- | ---------------------------------------- | | GitHub | ✅ Direct scan | ✅ Requires GitHub account integration | | GitLab | ✅ Direct scan | ✅ Requires GitLab account integration | | Bitbucket | ✅ Direct scan | ✅ Requires Bitbucket account integration | | Azure Repos | ✅ Direct scan | ✅ Requires Azure DevOps integration | | Other Git Hosts | ✅ Via repository URL | ✅ Via credential configuration | *** **Source Scan Results** Once a scan completes, results are available in the **Reports page** and include: * **Vulnerability findings** categorized by severity — Critical, High, Medium, Low * **Risk status** — overall risk score per repository and branch * **Compliance insights** — policy violations and governance gaps * **Alerts** — raised automatically based on findings that breach defined thresholds * **Downloadable reports** — exportable for audit, compliance review, or stakeholder sharing ## Artifact Scan **What It Is** Artifact Scan is an on-demand security scanning capability for **container images and artifacts** stored in registries and artifact management systems. Users configure or connect their artifact source during setup and initiate scans on selected artifacts as needed. Once a scan completes, the system generates detailed reports highlighting vulnerabilities, security risks, and compliance insights. Alerts are raised based on findings, and an overall risk status is provided for each scanned artifact — giving teams a clear picture of whether an artifact is safe to deploy. > Artifacts are the deployable units of modern applications. Artifact Scan ensures every container image or package is validated for security before it is released or deployed to any environment. ## **Why Artifact Scan Is Used in OpsMx** Artifacts represent the final, deployable form of an application. A vulnerable dependency or misconfigured image layer that passes code review can still make it into a container image — and from there, directly into production. Artifact Scan closes this gap by: * Providing a **simple, unified way** to scan artifacts on demand * Offering **clear visibility** into vulnerabilities and risk posture of every deployable asset * **Reducing manual effort** in validating artifact security across environments * Supporting **governance and compliance requirements** for released artifacts * Enabling teams to **identify and remediate** security risks before artifacts reach staging or production ### **Supported Scanners & Registries** | Scanner | Artifact Type | What It Detects | | --------- | ------------------------------ | -------------------------------------------------------------------------- | | **Trivy** | Container images, file systems | OS packages, application dependencies, secrets, IaC misconfigurations | | **Grype** | Container images, binaries | Vulnerabilities from NVD, GitHub Advisories, and OS-level security notices | ### **Supported Registries:** | Registry | Public | Private | | ------------------------------- | ------ | ------- | | Docker Hub | ✅ | ✅ | | Amazon ECR | — | ✅ | | Google Container Registry (GCR) | — | ✅ | | Google Artifact Registry | — | ✅ | | Azure Container Registry (ACR) | — | ✅ | | JFrog Artifactory | — | ✅ | | GitLab Container Registry | — | ✅ | | Quay | ✅ | ✅ | ### **How to Use — Artifact Scan** **For Public Artifacts:** Users can directly initiate a scan by providing the artifact reference — image name, tag, or package details — without requiring any registry integration. **For Private Artifacts:** Users need to integrate their artifact repository or registry. Once connected, they can select and scan specific artifacts on demand. **Workflow:** ``` Step 1 — Create or configure a project in Delivery Shield Step 2 — Connect artifact source / registry (if scanning private artifacts) Step 3 — Select the target artifact (image name + tag or digest) Step 4 — Trigger the scan Step 5 — Review generated reports and alerts Step 6 — Download reports for further analysis or compliance submission ``` **Artifact Scan Results** Once a scan completes, results include: * **CVE findings** per image layer — with CVE ID, affected package, version, severity, and fix version * **Risk status** — overall security score per artifact * **License information** — open-source license compliance per dependency * **SBOM output** — generated automatically in CycloneDX or SPDX format * **Alerts** — raised automatically based on severity thresholds * **Downloadable reports** — exportable for audit, compliance, or deployment gate review ## SBOM Scan **What It Is** Adhoc SBOM Scan allows users to **upload a Software Bill of Materials (SBOM) file** and scan it for known vulnerabilities and risks — without requiring access to source code or container images. The system analyzes the components listed in the SBOM and generates reports with identified vulnerabilities, alerts, and an overall risk status. ## **Why SBOM Scan Is Used in OpsMx** SBOMs provide a structured inventory of all components and dependencies in an application. Evaluating hundreds of components manually against vulnerability databases is time-consuming and error-prone. Adhoc SBOM Scan solves this by: * **Quickly identifying vulnerabilities** in all listed components — matched against NVD, OSV, and GitHub Advisory databases in real time * Providing **immediate risk visibility** without needing access to source code or running containers * Supporting **security and compliance checks for third-party software** — vendors, COTS applications, and open-source packages where only an SBOM is available * Enabling **faster decision-making** before deployment or procurement — assess a vendor's software risk from their SBOM alone * Supporting **SEBI CSCRF**, **NIST 800-53**, and other regulatory mandates requiring SBOM-based component risk assessment ### **How to Use — SBOM Scan** No integration or account linking required. SBOM Scan works with any valid CycloneDX SBOM file. **Workflow:** ``` Step 1 — Upload a CycloneDX SBOM file (.json or .xml) Step 2 — Trigger the scan Step 3 — Review vulnerabilities, alerts, and risk status Step 4 — Download the report if needed ``` ### **SBOM Scan Results** Once scanning completes, results include: * **Component-level vulnerability findings** — CVE ID, severity, affected component, version, and fix version * **License risk** — license type per component flagged against your organization's policy * **Overall risk status** — aggregate risk score for the entire SBOM * **Alerts** — raised for components with Critical or High severity CVEs * **Downloadable report** — full findings for compliance review or vendor risk assessment ## Mobile Artifact Scan (JFrog Artifactory) The JFrog Artifactory Mobile Artifact Scan enables comprehensive security scanning of **mobile application artifacts — specifically APK files** — stored in JFrog Artifactory repositories. It integrates multiple specialized scanning engines — VirusTotal, MobSF (Mobile Security Framework), and SBOM generation — to provide malware detection, deep mobile security analysis, and complete component inventory for every scanned mobile artifact. > **Note:** This feature currently supports **APK files only**. *** **Why Mobile Artifact Scan Is Used in OpsMx** Mobile applications carry unique security risks that standard container or source code scanners are not equipped to detect — embedded malware, insecure permissions, hardcoded secrets, insecure API endpoints, and third-party SDK vulnerabilities. Before a mobile artifact is distributed or deployed, it must be validated against these mobile-specific threats. Mobile Artifact Scan addresses this by: * Providing **malware detection powered by 70+ antivirus engines** via VirusTotal — catching threats missed by any single scanner * Running **comprehensive mobile security analysis** via MobSF — covering code vulnerabilities, permission risks, API security, and compliance checks * Generating a **complete SBOM for every APK** — mapping all embedded libraries, dependencies, and their known CVEs * Enabling **automated, event-driven scanning** — every new APK deployment in Artifactory triggers a scan automatically * Supporting **organization-wide mobile artifact governance** — scanning across single repositories or multiple repository groups *** **Project Creation Levels** Mobile Artifact Scan supports two project scoping levels in JFrog Artifactory: | Level | Description | | ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Repository Level** | Scans mobile artifacts within a single JFrog Artifactory repository — provides complete visibility into all mobile application versions in that repository | | **Repository All Level** | Scans across multiple repositories in a repository group — enables organization-wide mobile artifact analysis with aggregated security reporting | *** **Artifact Selection Options** | Option | Description | | ----------------- | ------------------------------------------------------------------------------------------------------- | | **All Artifacts** | Scans every mobile artifact version in the repository | | **Latest Only** | Scans only the most recent version of each mobile artifact — optimized for active development workflows | *** **Prerequisites & Integrator Setup** Before enabling Mobile Artifact Scan, the following integrations must be configured in Delivery Shield: | Step | Integration | Purpose | | ----- | -------------------------------- | --------------------------------------------------------------------------- | | **1** | **JFrog Artifactory Integrator** | Repository connectivity and artifact retrieval — requires JFrog credentials | | **2** | **JFrog Xray Integrator** | Deep artifact security scanning integrated with Artifactory | | **3** | **MobSF Integrator** | Mobile security analysis — enable **Static Analysis** mode | | **4** | **VirusTotal Integrator** | Malware detection — enable **Malware Detection** toggle | *** **How Mobile Artifact Scan Works — Scan Orchestration** The scan follows a structured 7-stage pipeline from change detection to team notification: ``` A → Detect Change in Artifactory (new APK deployed or updated) B → Download APK Artifact to scan environment C → VirusTotal Malware Scan (70+ antivirus engines) D → MobSF Security Analysis (static + optional dynamic) E → SBOM Generation (dependency mapping + CVE correlation) F → Generate Comprehensive Report (aggregated findings) G → Notify Development Teams (via configured channels) ``` ## **Scanning Capabilities** **VirusTotal Integration — Malware Detection** | Capability | Description | | ------------------------- | ---------------------------------------------------------------------------------------- | | **Multi-Engine Analysis** | Submits APK files to VirusTotal for scanning across 70+ antivirus engines simultaneously | | **File Hash Reputation** | Checks APK file hash against VirusTotal's global threat intelligence database | | **Behavioral Analysis** | Analyzes mobile app behavior and flags suspicious activities | | **Reputation Scoring** | Provides reputation scores based on community and global threat intelligence | | **Real-Time Updates** | Leverages continuously updated malware detection signatures | *** **MobSF Integration — Mobile Security Analysis** | Capability | Description | | ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **Static Analysis (SAST)** | Comprehensive static analysis of APK files — code vulnerability detection, permission analysis, hardcoded secrets detection, insecure configuration identification | | **Dynamic Analysis** | Optional runtime behavior analysis of the APK in a sandboxed environment | | **API Security Testing** | Assessment of API endpoints exposed or consumed by the mobile application | | **Permission Analysis** | Flags excessive, dangerous, or misused Android permissions | | **Hardcoded Secrets Detection** | Identifies API keys, tokens, and passwords embedded in the APK code | | **Compliance Checking** | Validates mobile app security standards and app store security requirements | | **Configuration Security** | Detects insecure app configurations — debug mode enabled, backup allowed, exported components | *** **SBOM Generation — Dependency & Component Inventory** | Capability | Description | | ----------------------------- | ---------------------------------------------------------------------------------------------- | | **Dependency Mapping** | Creates a comprehensive SBOM for the APK — mapping all embedded libraries and third-party SDKs | | **Component Inventory** | Identifies all embedded libraries, versions, and origins | | **Vulnerability Correlation** | Maps every component to known CVEs from NVD and OSV databases | | **License Compliance** | Tracks open-source licenses across all embedded dependencies and flags violations | | **Export Formats** | Generates SBOM in **SPDX**, **CycloneDX**, and **JSON** formats | | **Dependency Tree** | Visualizes nested dependency relationships within the APK | *** **Scheduling & Scan Optimization** | Feature | Description | | ------------------------- | ----------------------------------------------------------------------------- | | **Scheduled Scans** | Run at configurable intervals — minutes, hours, or days | | **Event-Based Triggers** | Automatically triggered on new APK deployments to Artifactory | | **Manual On-Demand** | Initiate scans at any time from the dashboard | | **Content Hash Skip** | Skips unchanged artifacts using content hash comparison — no redundant scans | | **Differential Scanning** | Scans only updated dependencies when a new version of a known APK is detected | | **Parallel Scanning** | Scans multiple artifacts simultaneously for large repositories | | **Incremental Scanning** | Supports partial updates for repositories with frequent minor changes | *** **Role-Based Access Control (RBAC)** Mobile Artifact Scan respects JFrog Artifactory's existing permission model: | Role | Access Level | | ------------------------------------ | ----------------------------------------------------------- | | **Read access** to target repository | Required to execute scans | | **scan-viewer** | Access to view scan reports and findings | | **scan-admin** | Access to configure scan settings and manage scan schedules | *** **Mobile Artifact Scan Results** Once scanning completes, a comprehensive report is generated and available in the **Reports page**, including: | Report Section | Contents | | ----------------------------- | ------------------------------------------------------------------------------------------------------- | | **Malware Detection Summary** | VirusTotal results, engine-by-engine threat scores, and reputation assessment | | **Security Assessment** | MobSF static and dynamic analysis findings — vulnerabilities, permissions, hardcoded secrets, API risks | | **SBOM Inventory** | Complete component and dependency list with version, origin, and license per entry | | **Vulnerability Correlation** | CVE findings mapped to specific SBOM components | | **Compliance Status** | App store requirements and mobile security standards compliance check | | **Remediation Guidance** | Mobile-specific, actionable security recommendations per finding | *** **Key Components** | Component | Responsibility | | ------------------------- | ------------------------------------------------------------------------- | | **Artifactory Adapter** | Repository connectivity and APK artifact retrieval from JFrog Artifactory | | **VirusTotal Integrator** | Malware scanning and threat intelligence via 70+ antivirus engines | | **MobSF Engine** | Mobile-specific static and dynamic security analysis | | **SBOM Generator** | Dependency mapping, component tracking, and CVE correlation | | **Report Generator** | Consolidates all findings into a unified, downloadable report | ## Comparing All Data Source Types | Capability | Source Scan | Artifact Scan | SBOM Scan | Mobile Artifact Scan | | --------------------------- | -------------------- | ---------------------- | ------------------ | ---------------------------- | | **What gets scanned** | Git repo / branch | Container image | Uploaded SBOM file | APK in JFrog Artifactory | | **Source code required** | ✅ | ❌ | ❌ | ❌ | | **Integration required** | For private repos | For private registries | ❌ Never | ✅ JFrog + MobSF + VirusTotal | | **Malware detection** | ❌ | ❌ | ❌ | ✅ VirusTotal (70+ engines) | | **SAST scanning** | ✅ Semgrep, SonarQube | ❌ | ❌ | ✅ MobSF | | **SCA scanning** | ✅ | ✅ Trivy, Grype | ✅ CVE matching | ✅ SBOM correlation | | **SBOM generated** | ✅ | ✅ | Upload only | ✅ SPDX / CycloneDX / JSON | | **License compliance** | ✅ | ✅ | ✅ | ✅ | | **Auto re-scan on changes** | ✅ On new commits | ✅ On new image tags | ❌ Manual | ✅ On new APK deployments | | **Downloadable reports** | ✅ | ✅ | ✅ | ✅ | | **Alerts raised** | ✅ | ✅ | ✅ | ✅ | *** #### Benefits for the User **1. Scan Any Asset — Immediately, Without Pipeline Changes** All four Data Source types support on-demand scanning with no webhook configuration, no pipeline modification, and no DevOps involvement — security and compliance teams can initiate scans independently at any time. **2. Mobile-Specific Security — Purpose-Built for APKs** Standard container and source scanners cannot detect mobile threats. Mobile Artifact Scan combines VirusTotal's 70+ engine malware detection with MobSF's deep static and dynamic analysis — providing security coverage purpose-built for the unique threat surface of mobile applications. **3. Third-Party & Vendor Risk Assessment — No Source Code Needed** SBOM Scan and Mobile Artifact Scan both enable security assessment of software teams did not build — vendor applications, COTS products, and third-party mobile SDKs — from component inventory alone. **4. Unified Reports Across All Asset Types** Whether scanning source code, a container image, an SBOM file, or a mobile APK, all results land in the same **Reports page** in Delivery Shield — with consistent severity categorization, alert management, and download options. **5. Always Current — Automated Re-scanning on Changes** Source Scan re-scans on new commits, Artifact Scan detects new image tags, and Mobile Artifact Scan triggers automatically on every new APK deployment — ensuring security findings are never stale as assets evolve. **6. Complete Mobile Application Lineage** Mobile Artifact Scan generates a full SBOM for every APK — mapping all embedded libraries, SDKs, and their known CVEs — giving mobile security teams the same component-level transparency that container scanning provides for cloud-native applications. **7. Compliance Evidence — On Demand** All scan results are downloadable in report format — ready for regulatory submission, internal audit review, or deployment gate documentation across all four data source types. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.opsmx.com/secure-enterprise-access-and-data-sources/data-sources.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.