Indago Security bundle
Bundle 07 · SecurityAudience · AppSec, DevSecOps, CISO offices

67+ security plugins. SARIF out. Journaled.

62 security scan tasks in a single pass — ranked into the SARIF export your dashboard already reads.

Early access · First findings in seconds
THE SOCRanked, not noisy.
1 200 → 12From "1 200 warnings a week nobody triaged" to twelve KEV-grade findings shipped the same day.
Every CVE, on your codeNVD + GHSA + CISA KEV joined to your reachability graph — < 10 ms across 22 k passages.
Secrets · LLM-injection · IaCCrypto, race, auth, secrets, prompt-injection and IaC patterns — one scan pass.
SARIF in, SARIF outDrops into your existing pipeline. Free trial. Sovereign / air-gapped option for regulated buyers. Try yourself for free

The vulnerability already in production.

Most code scanners produce SARIF files nobody reads. Indago ranks findings the way a senior AppSec engineer would — collapsing the noise, surfacing the real exposure, and citing the NVD, GHSA, CISA KEV, OSV or EPSS entry that makes it actionable. 67+ security plugins run under security.code.* and security.iac.*, on a 22 k-passage repo, in under 10 ms. No code leaves the engineer's workstation. Every rendered evidence pack is journaled.

From CVE-on-code to secrets to LLM-injection.

Demo 1 · CVE-on-code, ranked8.9 ms · local
CVE matches in our dependency graph · severity ≥ High · KEV-listed
01
CVE-2024-49415 · KEV-listed · path → libfoo@1.4 → app/api/auth. NVD + GHSA · KEV 2024-11 · CVSS 9.1
0.97
02
CVE-2025-00231 — only reachable from upload route; rest of code path dead. NVD + Indago reachability · src/api/upload.ts:42
0.91
03
GHSA advisory · same pkg, different CVE, fix landed in 1.4.7 — 1.4.3 in lockfile. GHSA-…-… · pkg-lock.json:8412
0.83
3 ranked · ~120 noise suppressedSARIF export → your dashboard
Demo 2 · Secrets hunt across historyscan · per-commit
secrets · uncommitted & committed · all branches · last 5 years
01
AWS SECRET_KEY in test fixture · committed 2022-09; never revoked. scan · security.secrets · src/test/.../fixture.json:12
0.99
02
High-entropy string flagged in archived branch; matches a known vendor token shape. scan · security.secrets.entropy · branch: rel/2021
0.88
2 live · rotate immediatelyBFG-style purge script generated
Demo 3 · LLM-injection & prompt-handlingscan · 4.2 ms
LLM injection · untrusted input concatenated into system prompt · all services
01
buildPrompt() concatenates raw user message into system role without escaping. scan · security.llm-injection.system-prompt · src/agent/Prompt.ts:88
0.94
02
Tool-use response inlined into next-turn user message. No origin tag. scan · security.llm-injection.tool-echo · src/agent/Loop.ts:142
0.86
2 high-priority patternsfix recipes attached

Demos illustrative. Scans run on your codebase, locally — no code leaves the workstation.

67+ plugins. NVD, GHSA, KEV, OSV, EPSS.

Pair with NIS2 sub-bundle for CISO-level compliance evidence, with Code for full search by meaning, and with Legal when supervisory text matters.

  • NVD · GHSA · CISA KEV · OSV · EPSSdelta-indexed daily · exploit-prediction scored
  • 67+ security plugins · two branchessecurity.code.* + security.iac.*
  • Secrets · entropy · committed-historyscan · security.code.secrets.*
  • Crypto · race · auth · injection · deserialisationscan · security.code.crypto.* · security.code.injection.* · …
  • LLM-injection · IaC misconfigscan · security.code.llm-injection.* · security.iac.*
  • Native renderers
    validation-binder — accepts SOC 2 / ISO 27001 / NIS2 as renderer framework labels (chunk-resolved evidence, framing per artifact) · audit · bounty.29-template surface · framework labels, not separate scans
  • SARIF 2.1.0 export · journaledfits existing pipelines · every render appended to journal
Sources of recordNVDGHSACISA KEVOSVEPSS

MITRE CWE is a reference taxonomy used inside plugin output, not a fetched source. Vendor advisories (Apple, Microsoft, Google, Red Hat, Canonical) are ingestible via indago_learn per advisory URL; they don't ship as bulk-source plugins today.

Real workflows. Real numbers.

Three workflows shaped for this bundle. Where the box reads Verified, the numbers come from a real run logged in this codebase. Where it reads Pending validation, the workflow shape is implemented and we are still gathering the headline numbers before we publish them.

Workflow 01 Pending validation

CVE-on-code reachability sweep

AppSec
  1. InputWorkspace + lockfile.
  2. MethodNVD + GHSA + CISA KEV joined against your dependency graph + Indago reachability filter.
  3. OutputSARIF 2.1.0 export with per-finding reachability and KEV flag.
< 10 ms · 22 k passages Engine perf measured on the Indago repo; pending a customer reachability case study for headline numbers.
Workflow 02 Pending validation

Secrets-in-history hunt

DevSecOps
  1. InputRepo with full git history (all branches).
  2. Methodsecurity.secrets entropy + token-shape scan across every reachable blob.
  3. OutputFindings list with BFG-style purge script attached per match.
Rotate-or-prove Scan shape ships; pending a verified rotation case study before publishing a hit-rate.
Workflow 03 Pending validation

LLM-injection · prompt-handling audit

AI-platform teams
  1. InputSource paths that call an LLM SDK.
  2. Methodsecurity.llm-injection.system-prompt + security.llm-injection.tool-echo scans.
  3. OutputFindings with fix recipes (escape, origin-tag, separator pattern).
Pattern-class catch Patterns are coded against real frameworks; pending a customer dry-run for headline numbers.

Verified workflows are reproducible against the index hash listed in each run. Pending workflows are a written commitment, not a customer quote — we publish numbers only when we have measured them.

Security bundle · from€499/ seat / month· platform pricing for > 50 seats · NIS2 sub-bundle add-on