Integrate Bright Security with Vulnetix. Run automated DAST scans against internal applications using the Bright repeater, export SARIF findings, and upload to Vulnetix.
Run Bright Security in CI
Scan on every push and upload the results to Vulnetix:
- name: Run HawkScan
uses: NeuraLegion/run-scan@release
with:
api_token: ${{ secrets.BRIGHT_TOKEN }}
hostname: app.brightsec.com
name: "Bright Scan - ${{ github.sha }}"
crawler: ${{ secrets.TARGET_URL }}
- name: Wait for any issue
uses: NeuraLegion/wait-for@release
with:
api_token: ${{ secrets.BRIGHT_TOKEN }}
hostname: app.brightsec.com
scan: ${{ steps.start.outputs.id }}
wait_for: any
code_scanning_alerts: true
github_token: ${{ secrets.GITHUB_TOKEN }}
timeout: 600
How Vulnetix compares — better together
Vulnetix does not replace Bright Security. Keep running it. Vulnetix sits on top of Bright Security — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.
Bright Security is strongest at its core category and also carries features in MAST, Pentest, Bug Bounty & Vulnerability Disclosure — just like Vulnetix spans categories.
| Capability | Vulnetix | Bright Security |
|---|---|---|
| Security coverage | ||
| SAST (static code analysis) | ✓ Built-in rules + Semgrep augmentation | ✗ |
| SCA / dependencies | ✓ 40+ ecosystems, transitive graph | ✗ |
| DAST (dynamic testing) | ~ Ingests DAST results; no native dynamic engine | ✓ Core DAST platform for web apps and APIs with AI-driven attack generation and business-logic testing. |
| Container & image | ✓ Image CVEs, base image, Dockerfile | ✗ |
| IaC / misconfiguration | ✓ Terraform, k8s, CloudFormation | ✗ |
| Secret scanning | ✓ 1,000+ rules, source + binary + git history | ✗ |
| Cloud / CSPM | ✓ Cloud-posture findings, compliance tab | ✗ |
| Mobile (MAST) | ~ Ingests mobile scanner output; no native mobile engine | ~ Docs list mobile as a target, but in practice this is server-side testing of the API backend behind mobile apps, not on-device static/dynamic app analysis; user reviews note mobile scanning is limited/not fully supported. |
| License compliance | ✓ SPDX, copyleft/AGPL/SSPL policy | ✗ |
| SBOM generation | ✓ CycloneDX 1.7 + SPDX 2.3, cosign-signable | ✗ |
| Malware / supply-chain | ✓ De-duplicated corpus + install-time firewall (25+ registries) | ✗ |
| Network / infra vuln | ~ Ingests network scanner output; no native network scanner | ✗ |
| Fuzzing | ✗ Ingests fuzzing crashes; no native fuzzer | ✗ |
| Pentest / bug bounty | ✗ Ingests pentest/bug-bounty findings; not a testing service | ~ Automated business-logic/abuse testing aims to reduce reliance on periodic manual pen-tests, but is not a manual/bug-bounty service. |
| The Vulnetix orchestration layer | ||
| Cross-scanner dedup & one queue (ASPM) | ✓ Correlates every scanner into one prioritised queue with ownership routing | ✗ |
| Exploit-intel prioritisation | ✓ EPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV | ✗ |
| Reachability analysis | ✓ Tree-sitter + CVEAffected; direct/transitive/semantic | ✗ |
| Versioned VEX + audit trail | ✓ Immutable OpenVEX/CycloneDX, cosign-signable | ✗ |
| Safe Harbour autofix | ✓ Resolves + applies the nearest safe version | ✗ |
| End-of-life policy | ✓ Flags/blocks past-EOL runtimes & packages | ✗ |
| SSVC / risk-based policy | ✓ SSVC v2 + CISA/FedRAMP/Essential-8 presets | ✗ |
✓ full · ~ partial · ✗ not covered
What Bright Security does well
- Developer-first DAST/API security with an AI-powered engine that interacts with the app to generate targeted attacks (rather than blind crawling), keeping false positives low
- Strong API coverage, REST, SOAP, GraphQL (introspection + query fuzzing), plus OWASP API Top 10 and automated business-logic vulnerability testing
- The 'repeater' agent tunnels from the Bright cloud into internal networks, enabling authenticated scans of non-public apps directly in CI/CD
- Deep pipeline integration via @brightsec/cli and REST API (GitHub Actions, Jenkins, GitLab, Azure) with Jira/Slack/Snyk/Wiz connectors
Where Vulnetix adds to it: Vulnetix ingests and orchestrates Bright's DAST/API findings into its unified queue, it does not run dynamic or API attack scans itself. Bright is strong at finding runtime and business-logic issues; Vulnetix adds the cross-scanner layer around it: dedup against SAST/SCA/container/secrets results, EPSS/KEV/ESS/LEV prioritisation across all sources, immutable versioned VEX + audit, EOL and SSVC policy, and Safe Harbour autofix, so Bright's dynamic results are correlated with code and dependency risk in one prioritised backlog.
No migration, no rip-and-replace. Bright Security keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.
Centralise Bright Security results in Vulnetix
Upload Bright Security SARIF, JSON output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.