Skip to content

Security Control Map

StageControlTool / practice
DesignThreat and abuse reviewEngineering review
SourceSecretsGitleaks + GitHub push protection
SourceSASTSemgrep
QualityMaintainability / bug patternsSonarQube
DependenciesSCATrivy filesystem
IaCMisconfigurationTrivy config + native validation
ContainerOS/library CVEsTrivy image
Supply chainInventorySyft SBOM
Supply chainAuthenticityCosign
Deployed appDASTOWASP ZAP
Independent assuranceManual VAPTApproved external/internal testers

No single tool replaces the others. Trivy does not replace unit tests or SAST; SonarQube does not replace integration reports; ZAP does not replace manual VAPT.

DefectDojo receives the approved security findings from each stage and is Nexa’s vulnerability-management system of record. See DefectDojo Integration.