Cycode

Cycode is used for multiple types of scanning including secrets, SAST scanning, and IAC misconfiguration scanning. Secret scanning was one of the first services launched using Cycode and is integrated into product teams' CI/CD pipelines for identifying hard-coded secrets within the code.

Cycode is used for infrastructure as code misconfiguration scanning and SAST scanning to find code weaknesses. Both engines are solid with no complaints.

As a policy, hard-coding secrets is prohibited. Cycode helps identify pieces of code that might be out of compliance. When the organization pivoted to GitHub Enterprise Cloud, this became a strong requirement for all product teams to comply with, and Cycode definitely assisted in that process.

Cycode is used for secret scanning, IAC misconfiguration scanning, and SAST. Other tools are used for software composition analysis and container image scanning.

Cycode excels in secret scanning and is brilliant at finding and identifying secrets within code. The GitHub integration helps product teams run scans on their code during pull requests without requiring a task in their pipeline, allowing them to identify issues much earlier in the software development life cycle.

The GitHub integration allows scanning to be performed as early as possible. Whenever product teams raise a pull request or commit to a GitHub repository, the integration identifies issues even before the scan runs in the pipeline. Since scanning happens in the version control system in GitHub rather than in the pipeline, it keeps the load on the pipeline simple and reduces the overall pipeline load.

Measurable improvements and faster development are outcomes of using Cycode. Since it is integrated into GitHub as a GitHub app and performs PR scans, it makes the development process not just faster but more secure. It prohibits users from hard-coding secrets and pushes them to use secret vaults and managers, which is a much more secure method of handling credentials.

Cycode helps with visibility into application security posture by having arguably the best dashboards and reporting among all the other tools in use, with different kinds of remediation funnels and MTTR data available in Cycode's dashboard that helps with overall application security posture management.

Cycode helps prioritize vulnerabilities or findings with a custom risk score that can help prioritize findings. Even within secrets, it helps identify the severities associated with those secrets.

Cycode supports collaboration between development and security teams well. The integration with GitHub makes it quite seamless.

Regarding container scanning, Cycode can be improved as it does not have a CLI. As a DevSecOps professional, having a CLI is a must-have for any tool to integrate it into systems. Although Cycode does have a CLI, specifically for the container scanning module, a CLI does not exist. This is why all the modules that Cycode offers cannot be fully leveraged.

A CLI for the container scanning module is believed to be on Cycode's roadmap, but it is not available today.

As a big enterprise dealing with many assets, Cycode being faster would be beneficial. With many assets on-boarded on Cycode, the tool sometimes becomes slow. Making Cycode faster would definitely help. Other than that, things are good.

Cycode has been in use for almost three years.

Cycode is stable and scales as needed.

The scalability of Cycode as the organization grows or adds more assets is managed well. At the scale at which the enterprise operates, which is quite large, Cycode scales as needed. Being a vendor SaaS tool on an elastic server, it scales effectively.

Cycode's customer support is good. Regular connects are maintained with the customer support team.

Secret scanning was not available prior to Cycode. Cycode was the first solution for secret scanning and still is to this day.

Adoption and initial use of Cycode was fairly simple for the team. The GitHub integration made the process quite smooth as all assets in GitHub had to be bulk on-boarded to Cycode. Although the on-boarding and adoption were smooth and Cycode was scanning everything in GitHub, as a DevSecOps team, assets had to be mapped individually in order to perform application security posture management (ASPM), which took a good amount of time and remains an ongoing challenge.

A return on investment has been seen with Cycode. Overall, the security of assets and preventing the exposure of secret data is where Cycode excels. No specific metrics can be shared beyond that.

Cycode is aggressively priced across the board with respect to other tools when it comes to pricing, setup cost, and licensing.

I was not part of the decision before choosing Cycode, so I am not aware of which options were evaluated. However, GitHub Advanced Security was believed to have been considered.

Cycode excels mainly in secret scanning, and if CLI was available in other types of scans like container scanning, the overall experience would have been better. Cycode's governance and security are good, and the AI remediation abilities through integrations like Secure Code Warrior are beneficial.

The accuracy and reliability of Cycode's AI capabilities have not been fully tested. Others looking into using Cycode should move forward with it. It is a strong and robust tool for secret scanning.

Overall, I rate Cycode a 7.5 out of 10. The rating reflects limitations such as the lack of a CLI for container scanning and some concerns about forced secret scanning, balanced against Cycode's excellence in secret scanning capabilities.