Page:
security-scanning
Pages
Search wiki
Recent changes
t Print view
Export wiki (ZIP)
Branch-Protection-API
Custom-Fields
Custom-Statuses
Home
License-Management
MCP-Server
Metadata-API
Metadata-Settings
README
Security-API
Wiki-Folders
branding
deployment
issue-management
manifest-api
manifest-settings
roadmap
security-scanning
Clone
Contents
Security Scanning Platform
Built-in security scanning with multiple scanner modules that run on push to the default branch.
Scanner Modules
| Scanner | Status | Description |
|---|---|---|
| Secret Scanner | Active | 15 patterns -- AWS keys, GitHub tokens, Stripe, JWT, connection strings, etc |
| Dependency Scanner | Active | Checks go.mod, package.json, composer.json, requirements.txt against OSV.dev API |
| Code Scanner | Active | 22 OWASP pattern rules across 7 CWE categories (see below) |
| Config Scanner | Planned | Misconfiguration detection |
| License Scanner | Planned | License compliance checking |
Code Scanner Rules
The code scanner detects insecure patterns across Go, PHP, Python, JavaScript/TypeScript, Java, C#, and Ruby. Rules are language-filtered by file extension.
| Category | CWE | Rules | Languages |
|---|---|---|---|
| SQL Injection | CWE-89 | 4 | Go, PHP, Python, JS/TS |
| XSS | CWE-79 | 4 | JS/TS, PHP, React |
| Command Injection | CWE-78 | 5 | Go, PHP, JS/TS, Python |
| Path Traversal | CWE-22 | 3 | Go, JS/TS, Python, PHP |
| Insecure Deserialization | CWE-502 | 2 | PHP, Python |
| Hardcoded Credentials | CWE-798 | 1 | All |
| Weak Cryptography | CWE-327 | 2 | Go, Python, C#, Java |
How It Works
- On push to default branch,
ScanOnPushruns all enabled scanners - Each scanner implements the
Scannerinterface (Type,ScanCommit,ScanTree) - Findings are stored in
security_alerttable with fingerprint-based dedup - Alerts visible in Security tab with severity, status, and dismiss/resolve actions
- Code scanner skips comment lines, binary files, vendor/, node_modules/, and files > 1MB
Severity Levels
| Severity | CVSS Score | Examples |
|---|---|---|
| Critical | 9.0+ | AWS keys, private keys, connection strings, PHP shell_exec |
| High | 7.0-8.9 | SQL injection, command injection, hardcoded passwords, path traversal |
| Medium | 4.0-6.9 | XSS, innerHTML, document.write, unsanitized path joins |
| Low | 0.1-3.9 | Weak crypto (MD5, SHA-1) |
| Info | 0 | Informational findings |
Repo Settings
Each scanner can be enabled/disabled per repo via Settings > Security. Defaults: secret scanner ON, dependency scanner ON, code scanner OFF.
API: PATCH��owner}/{repo}/security/config with {"code_scanner": true} to enable.
| Revision | Date | Author | Description |
|---|---|---|---|
| 2.0 | 2026-06-28 | Jonathan Miller (@jmiller) | Add code scanner (22 OWASP rules, 7 CWE categories) |
| 1.0 | 2026-06-07 | Jonathan Miller (@jmiller) | Initial version |