Arnica

Arnica

NEW
Category: SCA
License: Commercial
Visit Website →

Arnica is a pipelineless application security platform that delivers instant security scanning without requiring CI/CD pipeline integration.

By connecting directly to source code repositories as a GitHub or GitLab app, Arnica provides real-time SCA, secrets detection, and developer risk analysis.

Its package reputation scoring and reachability analysis help teams focus on vulnerabilities that actually matter.

What is Arnica?

Traditional SCA tools require pipeline integration, adding complexity and slowing builds.

Arnica takes a different approach by operating directly at the repository level.

Once installed as a GitHub App or GitLab integration, it continuously monitors code for security issues without touching your CI/CD pipelines.

Arnica combines software composition analysis with secrets detection and developer behavior analytics.

Its package reputation system evaluates dependencies based on maintainer trustworthiness, download patterns, and community signals.

Reachability analysis determines whether vulnerable code paths are actually exercised, dramatically reducing false positives.

Key Features

Pipelineless Architecture

Arnica connects to GitHub, GitLab, Bitbucket, or Azure DevOps as a native app.

No CI/CD changes, no pipeline YAML modifications, no build slowdowns.

Scanning happens continuously in the background, with results appearing in pull requests and the Arnica dashboard.

Package Reputation Scoring

Beyond CVE scanning, Arnica evaluates package trustworthiness.

Factors include maintainer reputation, account age, download velocity, dependency patterns, and community engagement.

New packages from unknown maintainers receive lower scores, flagging potential supply chain risks before CVEs exist.

Reachability Analysis

Not every vulnerable dependency is actually exploitable.

Arnica traces code paths to determine whether vulnerable functions are reachable from your application entry points.

A vulnerable function buried in dead code scores lower than one called directly from your API handlers.

Hardcoded Secrets Detection

Arnica scans for API keys, credentials, tokens, and other secrets accidentally committed to repositories.

Detection covers AWS keys, database passwords, JWT secrets, and custom patterns.

Historical scanning catches secrets in old commits that may still be valid.

Developer Risk Profiling

Arnica analyzes developer behavior patterns including commit frequency, code ownership, access patterns, and security violation history.

This helps security teams identify developers who may need additional training or code review attention.

Automated Remediation

When Arnica finds vulnerabilities with available fixes, it can automatically create pull requests with dependency upgrades.

PRs include vulnerability details, breaking change warnings, and test recommendations.

Installation

Arnica installs as a native app on your source code platform:

GitHub Setup

  1. Navigate to GitHub Marketplace: Arnica
  2. Click “Install” and select repositories to monitor
  3. Authorize requested permissions
  4. Configure in the Arnica dashboard

GitLab Setup

  1. Log into Arnica and navigate to Integrations
  2. Select GitLab and authorize OAuth access
  3. Choose groups and projects to monitor
  4. Enable desired scanning features

CLI for Local Scanning

# Install Arnica CLI (for local testing)
npm install -g @arnica/cli

# Authenticate
arnica auth login

# Scan current directory
arnica scan .

# Scan with specific checks
arnica scan . --sca --secrets

# Output in JSON format
arnica scan . --format json > results.json

Configuration

Configure Arnica behavior through the dashboard or repository config file:

# .arnica.yml in repository root
version: 1

sca:
  enabled: true
  severity_threshold: high
  ignore_dev_dependencies: true

  ignore:
    - package: lodash
      version: "<4.17.21"
      reason: "Mitigated by input validation"
      expires: 2026-06-01

secrets:
  enabled: true
  custom_patterns:
    - name: internal-api-key
      pattern: 'INTERNAL_[A-Z0-9]{32}'

  ignore_paths:
    - "**/*.test.js"
    - "docs/**"

remediation:
  auto_pr: true
  pr_assignees:
    - security-team
  require_approval: true

Pull Request Integration

Arnica adds security context directly to pull requests:

## Arnica Security Analysis

### Dependencies Changed
| Package | Old Version | New Version | Risk |
|---------|-------------|-------------|------|
| axios | 0.21.1 | 1.6.0 | Low |
| lodash | 4.17.15 | 4.17.21 | Fixed CVE-2021-23337 |

### New Vulnerabilities: 0
### Secrets Detected: 0

### Package Reputation
- [email protected]: High reputation (98/100)
- [email protected]: High reputation (99/100)

Dashboard Features

The Arnica dashboard provides:

Portfolio Overview
├── Total Repositories: 47
├── Critical Vulnerabilities: 3
├── High Vulnerabilities: 12
├── Secrets Found: 2
└── Average Package Reputation: 87/100

Risk Trends
├── Vulnerabilities over time
├── Developer risk scores
├── Remediation velocity
└── Coverage metrics

Developer Analytics
├── Code ownership mapping
├── Commit patterns
├── Security violation trends
└── Training recommendations

API Integration

Integrate Arnica data with other tools via API:

# Get repository vulnerabilities
curl -H "Authorization: Bearer $ARNICA_API_KEY" \
  https://api.arnica.io/v1/repos/my-org/my-repo/vulnerabilities

# Get package reputation score
curl -H "Authorization: Bearer $ARNICA_API_KEY" \
  "https://api.arnica.io/v1/packages/npm/lodash/4.17.21/reputation"

# Trigger manual scan
curl -X POST -H "Authorization: Bearer $ARNICA_API_KEY" \
  https://api.arnica.io/v1/repos/my-org/my-repo/scan

When to Use Arnica

Arnica excels for teams that want security scanning without pipeline complexity.

If your CI/CD is already heavily customized or you want to add security without modifying build configurations, Arnica’s pipelineless approach removes friction.

Choose Arnica when package reputation and supply chain risk matter as much as known CVEs.

The reputation scoring catches risky dependencies before vulnerabilities are disclosed.

Reachability analysis reduces false positives for teams drowning in vulnerability alerts.

For teams that prefer pipeline-integrated scanning, tools like Snyk, Dependabot, or Grype offer mature CI/CD integrations.

If you need deep SBOM management and continuous monitoring, OWASP Dependency-Track provides a complementary persistent inventory.

Arnica’s strength is simplicity and speed of deployment combined with advanced risk analysis.

Other SCA Tools

Black Duck
Black Duck

SBOM & License Compliance

CAST Highlight
CAST Highlight

Chrome Extension, SBOM Export

Checkmarx SCA
Checkmarx SCA

Three-Pronged Analysis

Contrast SCA
Contrast SCA

Runtime Library Prioritization

See all SCA tools