Arnica

Arnica is a pipelineless SCA platform that delivers security scanning without CI/CD pipeline integration. Install it as a GitHub or GitLab app and it continuously monitors repositories for vulnerable dependencies, hardcoded secrets, and developer risk patterns. With the Sonatype 2024 State of the Software Supply Chain report documenting 245,000 malicious packages in a single year, Arnica’s package reputation scoring adds a layer of defense that CVE databases alone cannot provide.

Arnica’s package reputation scoring evaluates dependencies beyond CVE databases, factoring in maintainer trustworthiness, download patterns, and community signals. Reachability analysis then filters out vulnerabilities in code paths your application never calls.

What is Arnica?

Traditional SCA tools require pipeline integration, adding complexity and slowing builds. Arnica operates at the repository level instead. Once installed as a GitHub App or GitLab integration, it scans continuously in the background with results appearing directly in pull requests.

Key features

Supported platforms and ecosystems

Pipelineless architecture

Arnica connects to your SCM as a native app. No CI/CD changes, no pipeline modifications, no build slowdowns. Results appear in pull requests and the Arnica dashboard.

Package reputation scoring

Beyond CVE scanning, Arnica evaluates packages based on maintainer reputation, account age, download velocity, dependency patterns, and community engagement. New packages from unknown maintainers get lower scores, flagging supply chain risks before any vulnerability is disclosed.

Reachability analysis

Arnica traces code paths to determine whether vulnerable functions are reachable from your application entry points. A vulnerable function buried in dead code scores lower than one called directly from your API handlers.

Hardcoded secrets detection

Scans for API keys, credentials, tokens, and other secrets committed to repositories. Covers AWS keys, database passwords, JWT secrets, and custom patterns. Historical scanning catches secrets in old commits.

Developer risk profiling

Analyzes developer behavior patterns: commit frequency, code ownership, access patterns, and security violation history. Helps security teams identify where additional training or code review is needed.

Automated remediation

When Arnica finds vulnerabilities with available fixes, it creates pull requests with dependency upgrades including vulnerability details and breaking change warnings.

Installation

Arnica installs as a native app on your source code platform:

GitHub Setup

1. Navigate to GitHub Marketplace: Arnica
2. Click “Install” and select repositories to monitor
3. Authorize requested permissions
4. Configure in the Arnica dashboard

GitLab Setup

1. Log into Arnica and navigate to Integrations
2. Select GitLab and authorize OAuth access
3. Choose groups and projects to monitor
4. Enable desired scanning features

Local Testing

Arnica primarily operates through its GitHub/GitLab app integration. For local testing and CI/CD workflows, use Arnica’s webhook-based triggers or the dashboard API. See the Arnica documentation for current integration options.

Configuration

Configure Arnica behavior through the dashboard or repository config file:

# .arnica.yml in repository root
version: 1

sca:
  enabled: true
  severity_threshold: high
  ignore_dev_dependencies: true

  ignore:
    - package: lodash
      version: "<4.17.21"
      reason: "Mitigated by input validation"
      expires: 2026-06-01

secrets:
  enabled: true
  custom_patterns:
    - name: internal-api-key
      pattern: 'INTERNAL_[A-Z0-9]{32}'

  ignore_paths:
    - "**/*.test.js"
    - "docs/**"

remediation:
  auto_pr: true
  pr_assignees:
    - security-team
  require_approval: true

Pull Request Integration

Arnica adds security context directly to pull requests:

## Arnica Security Analysis

### Dependencies Changed
| Package | Old Version | New Version | Risk |
|---------|-------------|-------------|------|
| axios | 0.21.1 | 1.6.0 | Low |
| lodash | 4.17.15 | 4.17.21 | Fixed CVE-2021-23337 |

### New Vulnerabilities: 0
### Secrets Detected: 0

### Package Reputation
- axios@1.6.0: High reputation (98/100)
- lodash@4.17.21: High reputation (99/100)

Dashboard Features

The Arnica dashboard provides:

Portfolio Overview
├── Total Repositories: 47
├── Critical Vulnerabilities: 3
├── High Vulnerabilities: 12
├── Secrets Found: 2
└── Average Package Reputation: 87/100

Risk Trends
├── Vulnerabilities over time
├── Developer risk scores
├── Remediation velocity
└── Coverage metrics

Developer Analytics
├── Code ownership mapping
├── Commit patterns
├── Security violation trends
└── Training recommendations

API Integration

Arnica provides a REST API for authenticated customers to retrieve vulnerability data, package reputation scores, and trigger scans programmatically. API access and documentation are available through the Arnica dashboard after onboarding.

Setup

When to use Arnica

Arnica fits teams that want security scanning without pipeline complexity, and that care about supply chain risk beyond known CVEs.

Strengths:

• Zero pipeline changes required
• Package reputation scoring catches risks before CVEs exist
• Reachability analysis reduces false positives
• Secrets detection included
• Developer behavior analytics

Limitations:

• Advanced features require paid plans
• Smaller ecosystem compared to Snyk or Checkmarx
• Pipelineless approach may not fit teams wanting build-blocking gates
• Developer profiling may raise privacy concerns

How it compares:

Further reading: What is SCA? | Supply Chain Attacks Guide

Frequently Asked Questions