Scan types
Musha runs three independent scanners. Use scan_type=full to run all three simultaneously.
SCA — Software Composition Analysis
SCA scans your dependency manifests and lockfiles against the OSV advisory database (which aggregates NVD, GitHub Advisories, and ecosystem-specific databases).
Supported ecosystems
| Language | Manifest files |
|---|---|
| Go | go.mod |
| Node.js | package-lock.json, yarn.lock, pnpm-lock.yaml |
| Python | requirements.txt, Pipfile, pyproject.toml |
| Rust | Cargo.lock, Cargo.toml |
| Java | pom.xml, build.gradle, build.gradle.kts, gradle.lockfile |
| Ruby | Gemfile.lock |
| PHP | composer.lock |
| .NET / C# | packages.lock.json, packages.config, *.csproj |
What SCA finds
- Known CVEs in direct and transitive dependencies
- The exact fix version (upgrade command included)
- Whether the dependency is direct (you explicitly imported it) or transitive (pulled in by another dep)
- Whether the fix requires a breaking change (major version bump)
What SCA does NOT find
- Logic bugs, XSS, SQL injection, or any code-level vulnerability
- Vulnerabilities with no CVE or advisory yet (zero-days)
IaC — Infrastructure as Code
IaC scans your infrastructure definitions against a library of 140+ security rules based on CIS AWS Foundations Benchmark v2.0, AWS Foundational Security Best Practices (FSBP), NSA/CISA Kubernetes Hardening Guidance, and NIST SP 800-53.
Supported formats
| Format | Detection |
|---|---|
| Terraform | All *.tf files |
| CloudFormation | YAML/JSON files detected by content heuristic (requires AWSTemplateFormatVersion or Resources: with AWS resource types) |
| Kubernetes | YAML/JSON files detected by apiVersion + kind fields |
What IaC finds
Examples of what Musha detects:
- S3 buckets with public access enabled
- RDS instances without encryption at rest
- Security groups with
0.0.0.0/0ingress on sensitive ports - Kubernetes containers running as root or with
privileged: true - EKS clusters without envelope encryption for secrets
- IAM roles with wildcard
*actions
Suppressing false positives
Add # musha:skip=INFRA-TF-001 (Terraform) or # musha:skip=INFRA-CF-001 (CloudFormation) to the line of the resource to suppress a specific rule for that resource.
Secrets Detection
The Secrets scanner looks for hardcoded credentials, API keys, and tokens in your source code.
Detection methods
1. Known provider patterns — High-confidence regex patterns for specific providers:
| Provider | Example pattern |
|---|---|
| AWS | AKIA[0-9A-Z]{16} (Access Key ID) |
| GitHub | ghp_, gho_, ghs_ (Personal Access Tokens) |
| Stripe | sk_live_, rk_live_ |
| Slack | xoxb-, xoxp-, xapp- |
| SendGrid | SG. + 69 chars |
| Musha | msk_live_ |
| + 10 more providers | — |
2. Shannon entropy — High-entropy strings (≥ 4.5 bits/char) in assignment context (e.g. password =, api_key =) that don't match a known variable reference.
False positive suppression
- Secrets in test/spec/example files are downgraded to
Infoseverity automatically. - Add
# musha-okinline to explicitly suppress a specific line. - Placeholder variables (
YOUR_KEY_HERE,$ENV_VAR,process.env.X) are suppressed.
What Secrets does NOT do
Musha does not verify credentials by calling external APIs. A detected secret is not confirmed as valid — it only means the pattern was found. Rotate any detected secret immediately regardless.
Choosing a scan type
For most teams, scan_type=full is the right default. If you have a specific need:
| Use case | Recommended |
|---|---|
| Full security posture | full |
| Dependency-heavy monorepo, fast feedback | sca |
| Terraform-only repo | iac |
| Audit for leaked credentials | secrets |
| SCA + IaC, no secrets | sca,iac |