OX Security

OX Security pioneered Active ASPM, moving beyond passive aggregation to autonomous posture management.

VibeSec™, their AI-driven security agent, continuously enforces security policies within CI/CD pipelines.

Their proprietary Pipeline Bill of Materials (PBOM) tracks full software lineage from code to deployment, going beyond standard SBOM capabilities.

What is OX Security?

OX Security is an Application Security Posture Management platform that takes an active approach to security governance.

While traditional ASPM platforms collect and prioritize vulnerabilities, OX Security goes further by continuously monitoring the development pipeline and automatically enforcing security policies at every stage.

The platform centers on the Pipeline Bill of Materials (PBOM), an industry-first concept that extends traditional SBOM by capturing not just software components, but the entire build process including pipeline configurations, build parameters, and artifact provenance.

This comprehensive visibility enables security teams to answer questions about exactly how any production artifact was built and deployed.

OX Security also developed the OSC&R (Open Software Supply Chain Attack Reference) framework in collaboration with security experts from Google, Microsoft, and GitLab.

This ATT&CK-like model provides a shared language for describing software supply chain threats and defenses.

Key Features

Active ASPM

Active ASPM distinguishes OX Security from passive aggregation platforms.

Rather than simply collecting and displaying findings, the platform:

• Monitors pipeline activity in real time
• Detects policy violations as they occur
• Blocks risky deployments before they reach production
• Triggers automated remediation workflows
• Alerts security teams to anomalous behavior

This proactive stance prevents vulnerabilities from reaching production rather than just tracking them after the fact.

VibeSec AI-Driven Context

VibeSec is OX Security’s AI engine that provides contextual understanding of security findings.

The technology:

• Analyzes code patterns to understand vulnerability context
• Assesses exploitability based on application architecture
• Correlates findings across multiple security tools
• Prioritizes issues based on actual risk rather than raw severity
• Generates remediation guidance tailored to your codebase

Pipeline Bill of Materials (PBOM)

PBOM extends the SBOM concept to capture the complete software delivery process:

PBOM Contents:
- Source code components and dependencies
- Build pipeline configurations
- CI/CD tool versions and plugins
- Environment variables (sanitized)
- Artifact signatures and checksums
- Deployment targets and configurations
- Developer and approver identities

This comprehensive record supports compliance requirements, incident investigation, and supply chain attack detection.

No-Code Workflows

OX Security provides a visual workflow builder for creating security automation without scripting:

• Drag-and-drop policy creation
• Conditional logic for complex scenarios
• Integration actions for ticketing and notification
• Approval gates for sensitive operations
• Audit trails for all workflow executions

OSC&R Framework

The Open Software Supply Chain Attack Reference provides structured taxonomy for supply chain threats:

• Compromise vectors (source, build, dependency)
• Attack techniques (typosquatting, dependency confusion, pipeline injection)
• Detection strategies
• Mitigation controls

Security teams use OSC&R to assess their defenses against known attack patterns and prioritize improvements.

Integration

OX Security integrates across the development lifecycle:

Source Code Management

• GitHub (Cloud and Enterprise)
• GitLab (Cloud and Self-Hosted)
• Bitbucket (Cloud and Data Center)
• Azure Repos

CI/CD Pipelines

• GitHub Actions
• GitLab CI
• Jenkins
• CircleCI
• Azure Pipelines

Container and Cloud

• Docker registries
• Kubernetes clusters
• AWS, Azure, GCP
• Terraform, Pulumi, CloudFormation

GitHub Actions Example

name: OX Security Scan
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  ox-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: OX Security Scan
        uses: oxsecurity/ox-security-action@v1
        with:
          ox_api_key: ${{ secrets.OX_API_KEY }}
          fail_on_severity: high
          generate_pbom: true

CLI Usage

# Install OX Security CLI
npm install -g @oxsecurity/ox-cli

# Authenticate
ox auth login

# Scan current repository
ox scan repo .

# Generate PBOM for a project
ox pbom generate --project-id my-project

# Check pipeline compliance
ox pipeline verify --config .ox-security.yaml

Compliance Support

OX Security maps findings and controls to major compliance frameworks:

• EU Cyber Resilience Act: SBOM/PBOM generation, vulnerability tracking
• CISA SSDF: Secure development lifecycle evidence
• NIST 800-53: Security control documentation
• SOC 2: Security monitoring and incident response
• FedRAMP: Continuous monitoring requirements

When to Use OX Security

OX Security fits organizations that need active security governance across their software delivery pipeline.

Consider OX Security when:

• Moving beyond passive ASPM where aggregation alone is not preventing vulnerable deployments
• Requiring software supply chain visibility with detailed artifact provenance and build tracking
• Implementing policy enforcement that blocks non-compliant code from reaching production
• Meeting regulatory requirements for EU Cyber Resilience Act, CISA guidelines, or similar mandates
• Managing complex pipelines across multiple CI/CD systems and cloud environments
• Building security automation without requiring custom scripting or development effort

Organizations with simpler environments or those primarily focused on vulnerability aggregation without active enforcement might find lighter-weight alternatives more appropriate.