Supported Platforms
GitHub
GitHub Cloud with OAuth, GitHub App, or Personal Access Token
GitLab
GitLab Cloud and Self-Hosted with OAuth or Personal Access Token
Azure DevOps
Azure DevOps with OAuth or Personal Access Token
Bitbucket Cloud
Bitbucket Cloud with OAuth or App Passwords
Bitbucket Server
Bitbucket Server (Data Center) with Personal Access Tokens
Connection Methods
Different platforms support different authentication methods:| Platform | OAuth | GitHub App | Personal Access Token | App Password |
|---|---|---|---|---|
| GitHub | ✅ | ✅ | ✅ | — |
| GitLab | ✅ | — | ✅ | — |
| Azure DevOps | ✅ | — | ✅ | — |
| Bitbucket Cloud | ✅ | — | — | ✅ |
| Bitbucket Server | — | — | ✅ | — |
Which Method Should You Use?
- OAuth (Recommended)
- GitHub App
- Personal Access Token
Best for: Most users and teamsPros:
- Quick and easy setup
- No manual token management
- Automatic token refresh
- Revocable from VCS settings
- Requires browser access
- May need org admin approval
What Permissions Does CodeThreat Need?
CodeThreat requests read-only access to your repositories:Repository Access
- ✅ Read repository content: To scan code for vulnerabilities
- ✅ Read repository metadata: To display repo names, branches, commits
- ✅ Read pull requests: To scan PR changes
- ❌ Write access: CodeThreat never modifies your code
Webhook Access
- ✅ Create webhooks: To receive notifications about commits and PRs
- ✅ Read webhook events: To trigger automatic scans
Pull Request Integration (Optional)
- ✅ Read PR changes: To scan only modified code
- ✅ Post PR comments: To provide security feedback (if enabled)
- ✅ Create checks: To show pass/fail status (GitHub only)
CodeThreat operates on a read-only basis. We never push commits, modify files, or change repository settings.
How Connections Work
When you connect a VCS platform:1
Authentication
You authorize CodeThreat to access your account via OAuth, token, or app installation
2
Repository Discovery
CodeThreat fetches a list of repositories you have access to
3
Repository Selection
You choose which repositories to import for scanning
4
Webhook Setup
CodeThreat creates webhooks to receive notifications about code changes (if automated scanning is enabled)
5
Initial Scan
CodeThreat automatically runs an initial security scan on imported repositories