As of this moment, twigs supports discovery of the following attack surface assets:
- Source code repositories (local, remote / git, github enterprise)
- Docker (container images, instances, public / private docker repositories)
- ECR, ACR, GCR (public, private container repositories from AWS, Azure and GCP)
- Kubernetes (deployment yaml, helm charts)
- Cloud workloads from AWS, Azure and GCP (Agentless CWP)
- Server, endpoints (credentialed or non-credentialed discovery)
- Cloud functions (Azure and GCP)
- VMware (Agentless discovery of VCenter and ESX endpoints)
- ServiceNow (Asset discovery from ServiceNow CMDB)
- Third Party Attack Surface (using CycloneDX, SPDX and ThreatWorx standard SBOMs)
Credentialed host discovery is supported for:
- RedHat
- CentOS
- Ubuntu
- Debian
- Amazon Linux
- Windows
- Mac OS
Apart from this, twigs also provides running of following checks on various attack surface components for posture management:
- SAST (static analysis for source code repositories using semgrep)
- IaC scan (for deployment code like Ansible, Terraform, CloudFormation etc. using checkov)
- Secrets scan (for secrets embedded in source code)
- CIS benchmarks (for AWS, Azure, CIS, Docker, K8S, GKE and servers)
- DAST (dynamic testing of web application using plugins like Zap, Arachni)
These capabilities continue to evolve to add more coverage for the attack surface