README is unclear about how the -security switch works

[toastyghost]

Am I correct in assuming that a higher security level means more checks will be run? So I should be running with -security 100?

[ArwynFr]

Am I correct in assuming that a higher security level means more checks will be run?

No, the same amount of checks are done. The -security switch will make insider to fail if your score is below that value, and suceed when above. This allows you to use insider in your CI/CD pipeline and ensure the score of your application never gets below that threshold. This provides a guarantee of a certain level of security in your application.

So I should be running with -security 100?

Probably not. Using -security 100 means any low vulnerability will fail your build. You probably want to allow a few low ones to pass and have them bashed in a subsequent release. For instance I just scanned one of my apps and it yields a score of 80/100 with 4 low vulnerabilities. A threshold of 60~80 looks like a decent value for that parameter, depending on your security expectations.

The value you'll want to use exactly is hard to tell, because it depends on the threat model you're facing, as well as the security expectations for the application and the surrounding systems it operates within. Also scoring is not a perfect technique, as it relies on the idea that you can set a definitive relative score for each type of vulnerability, which is not always true.

If you can afford a better AST process, it's good for first screening vulnerable applications though

[toastyghost]

Thanks for the information! So for clarification, if I don't pass in that parameter at all, it just gives me the results?

[ArwynFr]

if I don't pass in that parameter at all, it just gives me the results?

Correct