Security Scanner

The Security Scanner finds vulnerabilities in your code using Semgrep, an open-source static analysis tool. It runs inside a Docker container with no access to your infrastructure.

Running a Scan

1. Go to Scanner → New Scan
2. Select a repository
3. Choose rule presets:
   • OWASP Top 10 (default) — Critical web application vulnerabilities
   • Security Audit — Broader security checks
   • Secrets Detection — Hardcoded API keys, passwords, tokens
4. Click Run Scan

Scans typically complete in 1-3 minutes depending on repo size.

Understanding Findings

Each finding includes:

• Rule ID — The Semgrep rule that triggered (e.g., python.lang.security.audit.exec-detected)
• Severity — Critical, High, Medium, or Low
• File and line number — Exact location in your code
• CWE — Common Weakness Enumeration identifier
• OWASP category — Which OWASP Top 10 category it falls under
• Description — What the vulnerability is and why it matters
• Code snippet — The affected code with context
• Fix suggestion — How to remediate (when available)

PDF Reports

Every scan can be exported as a branded PDF report suitable for:

• Sharing with your CISO
• Compliance audits (SOC2 readiness)
• Sprint review documentation
• Board-level security posture updates

The PDF includes: executive summary, findings by severity, trend chart (if multiple scans exist), and remediation guidance.

Scan History

All scans are stored with their findings. The Scanner page shows:

• Scan timeline with findings trend
• Severity distribution per scan
• Delta vs. previous scan (new findings, resolved findings)
• Per-repository scan history