cohesion.sh

What It Is

Cohesion is a web security automation tool for developers and continuous integration pipelines, positioned as a DAST (Dynamic Application Security Testing) solution. It performs active and passive testing against running web applications and APIs via the command line, with the goal of finding security issues before code reaches production. Based on the crawled content, its detection scope includes common high-risk vulnerabilities such as Cross-Site Scripting, SQL Injection, Server-side Request Forgery, Remote Code Execution, Command Injection, and error-message leakage.

Core Capabilities

In terms of protection coverage, Cohesion mainly focuses on dynamic testing of web applications and APIs, rather than static code analysis or dependency risk scanning. Its toolset includes a scanner, fuzzer, spider, and proxy: the scanner is used for target scanning; the spider can identify hidden files and directories; the fuzzer can test specific HTTP requests or API endpoints; and the proxy can test captured requests in transit. Its deployment model is geared toward developer toolchains, with good command-line and Shell scripting support. The documentation directory also references integrations such as GitLab, Docker, Selenium, Swagger, and Proxy, making it suitable for CI/CD stages.

Management, Alerts, and Pipeline Control

One key design feature of Cohesion is its quality gate mechanism. By default, even when vulnerabilities are found, it may still exit with status code 0 so results can be reviewed in standard output. However, users can configure severity thresholds with --exit and --exit-code—for example, terminating immediately and returning a non-zero exit code when a critical vulnerability is found, thereby blocking the pipeline. It also supports --wait and --wait-status, allowing tests to start only after the target service becomes healthy, which is useful in pre-production environments where the application may not be fully started yet. The text also mentions that issues can be viewed at app.cohesion.sh/issues, but it does not show more comprehensive dashboard, permission management, audit, or alerting channel capabilities.

Pricing and Compliance

The crawled content does not provide information on pricing models, plans, free quotas, enterprise pricing, or payment methods, so it is not possible to assess its real cost-effectiveness. No compliance certifications or statements such as SOC 2, ISO 27001, GDPR, or China’s classified protection requirements were found either. For large enterprises with formal compliance procurement processes, this information should be confirmed directly with the vendor.

Pros, Cons, and Best Fit

Its strengths are a straightforward developer experience, clear command-line examples, and easy integration into automation workflows such as GitLab, Docker, or Shell scripts. It also supports both URLs and HTTP request files as test targets, which is practical for API security testing. Its limitations are that the public materials do not demonstrate enterprise-grade centralized management, reporting, permissions, ticketing integrations, or service support details. As a DAST tool, it depends on the target service being runnable and cannot replace other security testing approaches such as SAST, SCA, or IAST. It is best suited for DevSecOps teams, web/API development teams, and small to medium-sized engineering teams that need to establish security gates before release.

Access from China and Alternatives

The text does not describe accessibility from China. It is unclear whether the domain and app service can be accessed directly and reliably, or whether domestic payment methods and localized support are available. If access, compliance, or procurement is constrained, alternatives such as OWASP ZAP, Burp Suite, Acunetix, Invicti, StackHawk, or GitLab DAST may be worth evaluating. Overall, Cohesion stands out for ease of use in CI scenarios, but its commercial and enterprise service information is limited.