Kiuwan Code Security is a cloud-based static application security testing (SAST) platform that analyzes source code across 28+ programming languages.
The platform identifies security vulnerabilities, code quality issues, and technical debt while providing actionable remediation guidance.
Kiuwan is part of the Sembi portfolio (parent company IDERA, Inc.), which also includes tools like PreEmptive for app hardening and Ranorex for test automation.
What is Kiuwan?
Kiuwan combines security analysis with code quality assessment in a single platform.
Unlike tools that focus exclusively on finding vulnerabilities, Kiuwan provides a broader view of code health by measuring maintainability, efficiency, and reliability alongside security issues.
The platform operates through a local analyzer that scans source code and uploads results to the Kiuwan cloud for analysis and reporting.
This approach keeps source code local while providing centralized dashboards, trend analysis, and team collaboration features through the cloud interface.
Kiuwan maps findings to industry standards including OWASP Top 10, CWE, SANS 25, and PCI DSS, helping organizations demonstrate compliance with security requirements and track progress toward security objectives.
Key Features
Multi-Language Analysis
Kiuwan’s primary strength is its support for 28+ programming languages, including both modern and legacy technologies.
This breadth makes Kiuwan particularly valuable for organizations with diverse technology stacks or those maintaining systems written in older languages like COBOL, RPG4, or ABAP.
The analyzer applies language-specific rules that understand the idioms and patterns of each technology.
For Java, this includes Spring Security patterns; for JavaScript, it covers framework-specific issues in React, Angular, and Vue; for COBOL, it identifies business logic vulnerabilities in mainframe applications.
Insights and Technical Debt Tracking
Beyond finding individual issues, Kiuwan calculates a technical debt score that estimates the effort required to remediate all identified problems.
This metric helps teams prioritize work and communicate technical debt to business stakeholders in concrete terms.
The platform tracks how technical debt changes over time, showing whether code quality is improving or degrading.
Development managers can set quality gates that prevent releases when debt exceeds acceptable thresholds.
Customizable Rule Sets
Kiuwan includes thousands of built-in rules but also allows customization for organization-specific requirements.
Teams can:
- Enable or disable individual rules
- Adjust severity levels based on business context
- Create custom rules for internal coding standards
- Import rules from external sources
Rule configurations can be shared across projects to maintain consistent standards across an organization.
Software Composition Analysis
Kiuwan Insights also includes SCA capabilities, identifying open-source components and their associated vulnerabilities.
The platform detects components even when declared through different package managers or embedded directly in source code, providing visibility into the complete dependency chain.
Installation
Local Analyzer Setup
Kiuwan analysis runs through a local analyzer that processes source code on your infrastructure before sending results to the cloud.
# Download the Kiuwan Local Analyzer
curl -O https://www.kiuwan.com/pub/analyzer/KiuwanLocalAnalyzer.zip
unzip KiuwanLocalAnalyzer.zip
# Configure credentials
export KIUWAN_USER="your-username"
export KIUWAN_PASS="your-password"
# Run analysis on a project
./bin/agent.sh -n "my-project" -s /path/to/source -l "Java,JavaScript"
Command Line Analysis
# Basic analysis with automatic language detection
./bin/agent.sh \
--user $KIUWAN_USER \
--pass $KIUWAN_PASS \
--softwareName "my-application" \
--sourcePath /path/to/source
# Analysis with specific model and branch
./bin/agent.sh \
--user $KIUWAN_USER \
--pass $KIUWAN_PASS \
--softwareName "my-application" \
--sourcePath /path/to/source \
--label "release-2.0" \
--branch "main" \
--model "default"
# Baseline analysis (for comparing branches)
./bin/agent.sh \
--user $KIUWAN_USER \
--pass $KIUWAN_PASS \
--softwareName "my-application" \
--sourcePath /path/to/source \
--analysisScope "baseline" \
--branch "feature/new-feature" \
--changeRequest "JIRA-123"
Integration
GitHub Actions
name: Kiuwan Security Analysis
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
jobs:
kiuwan-analysis:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Download Kiuwan Analyzer
run: |
curl -O https://www.kiuwan.com/pub/analyzer/KiuwanLocalAnalyzer.zip
unzip KiuwanLocalAnalyzer.zip
- name: Run Kiuwan Analysis
env:
KIUWAN_USER: ${{ secrets.KIUWAN_USER }}
KIUWAN_PASS: ${{ secrets.KIUWAN_PASS }}
run: |
./KiuwanLocalAnalyzer/bin/agent.sh \
--user $KIUWAN_USER \
--pass $KIUWAN_PASS \
--softwareName "${{ github.repository }}" \
--sourcePath ${{ github.workspace }} \
--label "${{ github.sha }}" \
--branch "${{ github.ref_name }}"
- name: Check Analysis Results
run: |
# Fetch results from Kiuwan API
curl -u "${{ secrets.KIUWAN_USER }}:${{ secrets.KIUWAN_PASS }}" \
"https://api.kiuwan.com/applications/${{ github.repository }}/analyses/last"
GitLab CI
stages:
- build
- security
kiuwan-scan:
stage: security
image: openjdk:11-jdk
before_script:
- apt-get update && apt-get install -y curl unzip
- curl -O https://www.kiuwan.com/pub/analyzer/KiuwanLocalAnalyzer.zip
- unzip KiuwanLocalAnalyzer.zip
script:
- |
./KiuwanLocalAnalyzer/bin/agent.sh \
--user $KIUWAN_USER \
--pass $KIUWAN_PASS \
--softwareName "$CI_PROJECT_NAME" \
--sourcePath "$CI_PROJECT_DIR" \
--label "$CI_COMMIT_SHA" \
--branch "$CI_COMMIT_REF_NAME"
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
variables:
ANALYSIS_SCOPE: "baseline"
- if: $CI_COMMIT_BRANCH == "main"
variables:
ANALYSIS_SCOPE: "complete"
Jenkins Pipeline
pipeline {
agent any
environment {
KIUWAN_CREDENTIALS = credentials('kiuwan-credentials')
}
stages {
stage('Checkout') {
steps {
checkout scm
}
}
stage('Kiuwan Analysis') {
steps {
script {
// Download analyzer if not cached
sh '''
if [ ! -d "KiuwanLocalAnalyzer" ]; then
curl -O https://www.kiuwan.com/pub/analyzer/KiuwanLocalAnalyzer.zip
unzip KiuwanLocalAnalyzer.zip
fi
'''
// Run analysis
sh """
./KiuwanLocalAnalyzer/bin/agent.sh \\
--user ${KIUWAN_CREDENTIALS_USR} \\
--pass ${KIUWAN_CREDENTIALS_PSW} \\
--softwareName "${JOB_NAME}" \\
--sourcePath "${WORKSPACE}" \\
--label "${BUILD_NUMBER}" \\
--branch "${GIT_BRANCH}"
"""
}
}
}
stage('Quality Gate') {
steps {
script {
// Check if analysis passed quality gate
def result = sh(
script: """
curl -s -u ${KIUWAN_CREDENTIALS_USR}:${KIUWAN_CREDENTIALS_PSW} \\
"https://api.kiuwan.com/applications/${JOB_NAME}/analyses/last" \\
| jq -r '.analysisStatus'
""",
returnStdout: true
).trim()
if (result != 'FINISHED') {
error "Kiuwan analysis failed or did not pass quality gate"
}
}
}
}
}
}
IDE Integration
Kiuwan provides plugins for popular IDEs to enable analysis during development:
- Eclipse: Install from Eclipse Marketplace
- IntelliJ IDEA: Available through JetBrains Marketplace
- Visual Studio: Extension for .NET development
- VS Code: Extension for JavaScript, TypeScript, and Python
When to Use Kiuwan
Kiuwan is particularly well-suited for:
- Organizations with legacy codebases in COBOL, RPG, ABAP, or other languages that many modern tools do not support
- Teams needing unified analysis across diverse technology stacks without managing multiple scanners
- Enterprises requiring compliance reporting mapped to OWASP, CWE, PCI DSS, and other standards
- Development managers tracking technical debt who need concrete metrics to communicate code health
Kiuwan may not be ideal for teams seeking deep analysis of a single language (specialized tools often provide better coverage), open-source projects with limited budgets, or organizations that require fully on-premises deployment without any cloud connectivity.