What Does SOOS Access and Store?
SOOS has been designed to run to the upmost extend possible in your own CI/CD system and to storage the bare minimum data necessary to run scans. Other than manifest files and/or SBOM files, we never inspect or store any code.
Regardless of whether you initiate the scan locally, on a CI/CD system, through our GitHub integration, or using the file upload capabilities, SOOS only ever receives the contents of manifest files and/or file hashes and names. We never look at any files other than those listed under Supported Languages and Formats. Manifest file contents are parsed and only the information necessary is retained, primarily this consists of: package id, version, file name, and optional dependency hierarchies for lock files. A temporary audit of the full manifest file is retained briefly to assist with support inquiries.
When scanning SBOM files, SOOS will parse the SBOM to extract information such as package id, version, and license information which is then run through our analysis engine. We also store the contents of the SBOM indefinitely. Storing the SBOM ensures that we can run continual scans to detect new threats, as well as allow the original SBOM to be bundled with future exports, particularly when creating Dependent SBOMs.
SOOS uses Syft to inspect container instances and generate a list of component information for the container. When scanning containers, SOOS will parse the Syft output to extract information such as package id, version, and license information, which is then run through our analysis engine. A temporary audit of the full Syft output is retained briefly to assist with support inquiries.
DAST inspects web endpoints, therefore the data that is stored is related to the URL being scanned. When issues are identified, SOOS uses information such as the HTTP request and response payloads to create issues and will store metadata about the request and response. For requests that do not trigger issues, we only store the URL itself without any other details.
The SAST/Secrets Connector allows you to bring your own SAST or Secrets tool and feeds the results into SOOS as a SARIF file. The results will then be presented alongside your other scan details for the project. Because we do not control the SAST/Secrets tool you select, we cannot make any guarantee about the data sent to SOOS. We recommend you run the tool with the SARIF output option and inspect the results yourself to ensure you are comfortable with the results being ingested by SOOS. Typically, there is no concern as the code examples these tools include are usually quite specific to the problem and only consist of a single line or two.
