# Salus Overview

Salus (Security Automation as a Lightweight Universal Scanner), named after the Roman goddess of protection, is a tool for coordinating the execution of security scanners. You can run Salus on a repository via the Docker daemon and it will determine which scanners are relevant, run them and provide the output. Most scanners are other mature open source projects which we include directly in the container.

Salus is particularly useful for CI/CD pipelines because it becomes a centralized place to coordinate scanning across a large fleet of repositories. Typically, scanners are configured at the repository level for each project. This means that each repository must be updated when making org-wide changes to how the scanners are run. Instead, you can update Salus and all builds will instantly inherit the change.

Salus provides extensive configurations that allow for global defaults and local tweaks. Finally, Salus can report metrics on each repository, such as what packages are included or what concerns exist. These reports can be centrally evaluated in your infrastructure to allow scalable security tracking.

Docker is required to run Salus. The dependencies for the project are stored on a docker container, which helps reduce the number of steps required to run Salus.

Check out the Getting Started Guide for detailed instructions or continue here for a more condensed process

Docker is available on different operating systems. You can install the appropriate version for your operating system on the Docker website

brew install docker

All Set! you are now ready to run Salus ✨

Navigate to the root directory of the project you want to run Salus on

cd /path/to/repo

Run the following line in the root directory (No edits necessary). This will run the latest Version of Salus.

docker run --rm -t -v $(pwd):/home/repo coinbase/Salus

Running specific versions of Salus is also possible. All you need to do is provide the version tag

docker run --rm -t -v $(pwd):/home/repo coinbase/Salus:2.17.6

Salus serves as an orchestrator for security scanners. Salus triggers the appropriate scanners if a project meets a scanner's requirements

Salus currently supports the following open-source scanners:

In addition to the open-source options, Salus also provides its own scanners as well.

Salus is highly configurable to work in different environments and with different scanners. It supports environment variable interpolation and cascading configurations and can read configuration and post reports over HTTP.

Sometimes it's necessary to ignore certain CVEs, rules, tests, groups, directories, or otherwise modify the default configuration for a scanner. The scanner configuration documentation explains how to do so for each scanner that Salus supports.

Contribution to this project is extremely welcome and it's our sincere hope that the work we've done only serves as a foundation for allowing the security/development communities to come together to improve the security of everyone's infrastructure.

You can read more about getting your development environment set up, or the architecture of Salus.

The entire release archives of Salus is available on Github

This project is available open source under the terms of the Apache 2.0 License.