Overview
CodeThreat provides comprehensive security scanning through deterministic engines and agentic analysis:- Deterministic SAST: Rule-based pattern matching (SAST, SCA, Secrets, IaC)
- Agentic SAST: Deep AI-powered code analysis for complex vulnerabilities
- False Positive Elimination: Automatically filters false positives from deterministic SAST results
- PR Reviews: Contextual security analysis of pull requests
SAST
Find vulnerabilities in your source code
SCA
Detect vulnerable dependencies
Secrets
Find exposed credentials and API keys
IaC
Scan infrastructure configurations
CodeThreat provides Deterministic SAST (rule-based) and Agentic SAST (AI-powered deep analysis). False Positive Elimination agent works on deterministic SAST results to reduce false positives. PR Review Agent provides contextual security analysis for every pull request.
Deterministic Static Application Security Testing (SAST)
Deterministic SAST analyzes your source code using rule-based pattern matching to find security vulnerabilities without executing the program. Results are enhanced by False Positive Elimination agent and complemented by Agentic SAST for deep analysis. Powered by: OpenGrep (enhanced Semgrep fork) + ShiftQL intelligent analysis Coverage: 1,740+ security rules across 27+ languagesWhat SAST Finds
- Injection flaws: SQL injection, command injection, code injection
- Cross-Site Scripting (XSS): Reflected, stored, DOM-based
- Authentication issues: Broken auth, session management flaws
- Authorization flaws: Missing access controls
- Cryptographic issues: Weak algorithms, insecure random number generation
- Security misconfigurations: Debug mode enabled, default credentials
- Input validation: Missing or improper validation
- Path traversal: Directory traversal vulnerabilities
Languages Supported
Deep coverage (100+ rules each):- Python (334 rules), Terraform (362 rules), JavaScript (173 rules)
- Java (121 rules), YAML/K8s (120 rules), Ruby (92 rules)
- Go (76 rules), PHP (61 rules), C# (51 rules), Solidity (50 rules)
Enhanced by Agentic Analysis
False Positive Elimination: Automatically filters false positives from deterministic SAST results by understanding code context, framework protections, and actual exploitability. Agentic SAST: Performs deep code analysis to find complex vulnerabilities that deterministic SAST cannot detect, such as logic flaws, authorization issues, and design failures. Learn more about Deterministic SAST → | Learn more about Agentic SAST →Software Composition Analysis (SCA)
SCA identifies known vulnerabilities in your dependencies and third-party libraries.What SCA Finds
- CVE vulnerabilities: Known security issues in dependencies
- Outdated packages: Dependencies with available security updates
- Vulnerable transitive dependencies: Issues in sub-dependencies
- License violations: Incompatible or risky licenses
- Abandoned packages: Unmaintained dependencies
Package Managers Supported
npm, yarn, pip, Maven, Gradle, Go modules, NuGet, Composer, Bundler, Cargo, and more.Secrets Detection
Secrets scanning finds exposed credentials, API keys, and sensitive data in your codebase and Git history.What Secrets Detection Finds
- Cloud provider credentials: AWS keys, Azure tokens, GCP service accounts
- API keys: Stripe, SendGrid, Twilio, GitHub tokens
- Database credentials: PostgreSQL, MySQL, MongoDB connection strings
- Private keys: SSH keys, TLS certificates, JWT secrets
- Passwords: Hardcoded passwords in code
- OAuth tokens: Access tokens, refresh tokens
How It Works
- Pattern matching: Regex patterns for known credential formats
- Entropy analysis: High-entropy strings likely to be secrets
- Context awareness: Reduces false positives by examining code context
- Git history scanning: Checks all commits, not just current code
Response Steps
If a secret is found:- Rotate immediately: Generate new secret, revoke old one
- Remove from Git history: Use git-filter-repo or BFG Repo-Cleaner
- Use environment variables: Never commit secrets
- Enable secret management: Use Vault, AWS Secrets Manager, etc.
Infrastructure as Code (IaC) Security
IaC scanning detects misconfigurations in infrastructure definitions before deployment.What IaC Security Finds
- Public exposure: S3 buckets, databases accessible from internet
- Missing encryption: Unencrypted storage, databases, message queues
- Overly permissive IAM: Wildcard permissions, excessive roles
- Insecure containers: Running as root, privileged mode
- Missing security groups: Unrestricted network access
- Hardcoded secrets: Credentials in IaC templates
- Insecure protocols: HTTP instead of HTTPS, outdated TLS
IaC Formats Supported
Terraform (.tf files), Kubernetes (YAML manifests, Helm charts), Docker (Dockerfiles, docker-compose.yml), CloudFormation (AWS templates), ARM Templates (Azure resource definitions)Scan Execution
When you trigger a scan, CodeThreat:1
Clone Repository
Securely clone your repository into an isolated scanning environment
2
Run All Scan Types
Execute deterministic scans (SAST, SCA, Secrets, IaC) in parallel
3
Process Results
Convert all findings to standardized SARIF format
4
Apply Agentic Analysis
False Positive Elimination filters SAST results, Agentic SAST performs deep analysis (if enabled)
5
Store and Display
Results are stored and displayed in your dashboard
Enabling/Disabling Scan Types
You can control which scan types run for each repository:- Go to Repository Settings → Scan Configuration
- Toggle scan types: SAST (with False Positive Elimination), SCA, Secrets Detection, IaC Security, Agentic SAST
- Save configuration
Running all deterministic scan types (SAST, SCA, Secrets, IaC) with Agentic SAST and False Positive Elimination provides the most comprehensive security coverage.
Scan Performance
Typical scan times by repository size:| Repository Size | Scan Duration |
|---|---|
| Small (<100 files) | 1-2 minutes |
| Medium (100-1000 files) | 2-5 minutes |
| Large (1000+ files) | 5-15 minutes |
- Number of files
- Lines of code
- Number of dependencies
- Git history depth (for secrets)
- Enabled scan types