Security Control Map
| Stage | Control | Tool / practice |
|---|---|---|
| Design | Threat and abuse review | Engineering review |
| Source | Secrets | Gitleaks + GitHub push protection |
| Source | SAST | Semgrep |
| Quality | Maintainability / bug patterns | SonarQube |
| Dependencies | SCA | Trivy filesystem |
| IaC | Misconfiguration | Trivy config + native validation |
| Container | OS/library CVEs | Trivy image |
| Supply chain | Inventory | Syft SBOM |
| Supply chain | Authenticity | Cosign |
| Deployed app | DAST | OWASP ZAP |
| Independent assurance | Manual VAPT | Approved external/internal testers |
No single tool replaces the others. Trivy does not replace unit tests or SAST; SonarQube does not replace integration reports; ZAP does not replace manual VAPT.
DefectDojo receives the approved security findings from each stage and is Nexa’s vulnerability-management system of record. See DefectDojo Integration.