Glossary

A reference of key terms used throughout Certifai.

Security Terms

SAST (Static Application Security Testing) Analysis of source code to find vulnerabilities without running the application. Certifai uses Semgrep for SAST scanning.

DAST (Dynamic Application Security Testing) Testing a running application by sending crafted requests and analyzing responses. Finds vulnerabilities that only appear at runtime.

SBOM (Software Bill of Materials) A complete inventory of all software components (libraries, packages, frameworks) that your application depends on, including versions and licenses.

CVE (Common Vulnerabilities and Exposures) A standardized identifier for publicly known security vulnerabilities. Each CVE has a unique ID (e.g. CVE-2024-1234) and is tracked in the National Vulnerability Database.

False Positive A finding that is flagged as a vulnerability by a scanner but is not actually a security issue in context. For example, a SQL injection warning on a query that uses parameterized statements correctly.

Triage The process of reviewing a security finding and deciding what to do with it: confirm it as real, mark it as a false positive, or accept the risk and ignore it.

Fingerprint A unique hash generated for each finding based on the scanner, file path, line number, and vulnerability type. Used for deduplication so the same issue is not reported twice.

Confidence Score A value from 0.0 to 1.0 assigned by the AI triage engine, indicating how certain the LLM is about its assessment of a finding.

CWE (Common Weakness Enumeration) A community-developed list of software and hardware weakness types. Findings often reference a CWE ID to categorize the type of vulnerability.

CVSS (Common Vulnerability Scoring System) A standardized framework for rating the severity of security vulnerabilities on a scale of 0.0 to 10.0.

License Terms

Copyleft License A license that requires derivative works to be distributed under the same license terms. Examples: GPL-2.0, GPL-3.0, AGPL-3.0, LGPL-2.1, LGPL-3.0, MPL-2.0.

Permissive License A license that allows broad freedom to use, modify, and distribute software with minimal restrictions. Examples: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC.

Standards and Formats

CycloneDX An OWASP standard for SBOM formats. Certifai supports export in CycloneDX 1.5 JSON format.

SPDX (Software Package Data Exchange) A Linux Foundation standard for communicating software bill of materials information. Certifai supports export in SPDX 2.3 format.

Tools

Semgrep An open-source static analysis tool that finds bugs and enforces code standards using pattern-matching rules. Used by Certifai for SAST scanning.

Syft An open-source tool for generating SBOMs from container images and filesystems. Used by Certifai to extract dependency information.

Grype An open-source vulnerability scanner for container images and filesystems. Used by Certifai to match dependencies against known vulnerabilities.

Protocols

MCP (Model Context Protocol) An open standard that allows LLM-powered tools to connect to external data sources and call tools. Certifai exposes security data through MCP so AI assistants can query findings, SBOMs, and DAST results.

PKCE (Proof Key for Code Exchange) An extension to the OAuth 2.0 authorization code flow that prevents authorization code interception attacks. Used in Certifai's authentication flow.