Security Scanning

Codity provides comprehensive security scanning capabilities to help identify vulnerabilities and dependency issues in your codebase before they reach production.

Overview

Codity's security scanning includes two main components:

• Security Vulnerability Scanning: Detects security vulnerabilities in your code
• Package Dependency Scanning: Identifies vulnerable or outdated dependencies
• License Compliance Scanning: Identifies license risks and copyleft compliance issues in dependencies

All scans run automatically on every pull request or merge request, providing immediate feedback to developers.

Security Vulnerability Scanning

Security vulnerability scanning analyzes your code for common security issues and weaknesses that could be exploited by attackers.

What It Detects

Code-Level Vulnerabilities:

• SQL Injection vulnerabilities
• Cross-Site Scripting (XSS) attacks
• Command Injection flaws
• Path Traversal vulnerabilities
• Insecure Deserialization
• Authentication and Authorization issues
• Insecure Cryptography usage
• Hard-coded credentials and secrets
• Insecure Random Number Generation
• XML External Entity (XXE) attacks

Security Misconfigurations:

• Insecure CORS configurations
• Missing security headers
• Insecure cookie settings
• Open redirects
• Improper error handling that exposes sensitive data
• Debug mode enabled in production code

OWASP Top 10 Coverage: Codity's scanning covers all OWASP Top 10 vulnerabilities, including:

• Broken Access Control
• Cryptographic Failures
• Injection attacks
• Insecure Design patterns
• Security Misconfiguration
• Vulnerable and Outdated Components
• Identification and Authentication Failures
• Software and Data Integrity Failures
• Security Logging and Monitoring Failures
• Server-Side Request Forgery (SSRF)

Severity Levels

Vulnerabilities are classified by severity to help prioritize fixes:

• Critical: Immediate action required - exploitable vulnerabilities that could lead to complete system compromise
• High: Should be fixed soon - serious vulnerabilities that could significantly impact security
• Medium: Should be addressed - moderate security issues that could be exploited under certain conditions
• Low: Consider fixing - minor security concerns or best practice violations
• Info: Informational - security recommendations and hardening suggestions

How It Works

1. Automatic Detection: Scans run automatically on every PR/MR
2. Inline Comments: Vulnerabilities are reported as inline comments on specific lines of code
3. Detailed Explanations: Each finding includes:
   • Description of the vulnerability
   • Why it's a security risk
   • Potential impact
   • Recommended fix with code examples
   • References to security standards (CWE, OWASP)
4. Context-Aware: Understands code context to minimize false positives
5. Multi-Language Support: Works with Python, JavaScript/TypeScript, Ruby, Java, PHP, Go, and more

Effectiveness

High Detection Rate:

• Comprehensive pattern-based detection covering major vulnerability classes
• 100% coverage of OWASP Top 10 categories
• Regular updates to detection patterns
• Incorporates latest security research

Low False Positive Rate:

• Advanced pattern matching reduces false positives
• Context-aware analysis understands code flow
• Configurable rules to match your security standards

Early Detection:

• Catches vulnerabilities before code review
• Prevents security issues from reaching production
• Reduces cost of fixing vulnerabilities (earlier is cheaper)
• Enables shift-left security practices

Package Dependency Scanning

Package dependency scanning identifies security vulnerabilities in third-party libraries and packages used by your project through CI log analysis.

What It Detects

Vulnerable Dependencies:

• Known CVE (Common Vulnerabilities and Exposures)
• Security advisories from package registries
• Exploitable vulnerabilities in dependencies
• Transitive dependency vulnerabilities (dependencies of dependencies)

Outdated Dependencies:

• Dependencies with available security patches
• End-of-life or unmaintained packages
• Deprecated packages with security concerns

Supported Package Managers

Codity scans dependencies from the following package managers via CI audit logs:

JavaScript/TypeScript:

• npm (npm audit)

Python:

• pip (pip-audit)
• Poetry (poetry check)

Java:

• Maven (maven dependency-check)
• Gradle (gradle dependencyCheckAnalyze)

Ruby:

• Bundler (bundler audit)

Go:

• Go modules (go list -m all | nancy)

How It Works

Codity analyzes your CI logs to extract dependency vulnerability information:

1. CI Log Detection: Automatically detects security audit output in your CI workflows
2. Log Parsing: Extracts vulnerability data from npm audit, pip-audit, bundler audit, etc.
3. Vulnerability Matching: Cross-references against vulnerability databases
4. Impact Assessment: Evaluates severity and exploitability
5. Fix Recommendations: Suggests specific version upgrades to resolve issues
6. Pull Request Comments: Reports findings directly on the PR/MR

Vulnerability Database Sources

Codity's dependency scanning uses data from:

• National Vulnerability Database (NVD)
• GitHub Security Advisories
• npm Security Advisories
• PyPI Security Advisories
• RubySec Advisory Database
• OSV (Open Source Vulnerabilities)

Business Benefits

Cost Savings:

• 10-100x cheaper to fix vulnerabilities early vs. production
• Reduced security incident costs
• Faster security review process

Time Savings:

• Automated scanning replaces manual security reviews
• Immediate feedback (no waiting for security team)
• Faster development cycles
• Reduced back-and-forth on security issues

Risk Reduction:

• Lower probability of breaches
• Reduced legal liability
• Better security reputation

Developer Experience

Seamless Integration:

• Works with existing workflows
• No additional tools to learn
• Clear, actionable feedback
• Fix suggestions with code examples

Learning and Growth:

• Developers learn secure coding patterns
• Immediate feedback loop
• References to security standards (CWE, OWASP)
• Builds security awareness

License Compliance Scanning

License compliance scanning analyzes your project's dependencies to identify license risks, copyleft obligations, and compliance issues.

How to Trigger

Comment /license-scan on any PR/MR to trigger a license compliance scan.

Supported Platforms:

• GitHub
• GitLab
• Azure DevOps
• Bitbucket

What It Detects

License Risk Classification:

• High Risk: Strong copyleft licenses (GPL-2.0, GPL-3.0, AGPL-3.0, SSPL-1.0, OSL) and proprietary/commercial licenses
• Medium Risk: Weak copyleft licenses (LGPL, MPL, EPL, EUPL, CDDL, CPL)
• Low Risk: Permissive licenses (MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, Unlicense, CC0-1.0, Zlib, PostgreSQL, Python-2.0, and others)
• Unknown: Licenses that cannot be identified

Copyleft Detection:

• Identifies strong copyleft licenses (GPL, AGPL, OSL, SSPL) that require derivative works to use the same license
• Identifies weak copyleft licenses (LGPL, MPL, EPL, EUPL, CDDL) that have limited copyleft scope
• Detects FOSS exceptions (classpath-exception, gcc-exception) that reduce copyleft restrictions

OSI Approval Status:

• Reports whether each license is OSI (Open Source Initiative) approved

Supported Package Managers and Files

JavaScript/TypeScript:

• package-lock.json (npm)
• yarn.lock (Yarn)
• package.json (fallback)

Python:

• poetry.lock (Poetry)
• Pipfile.lock (Pipenv)
• requirements.txt (pip)

Ruby:

• Gemfile.lock (Bundler)
• Gemfile (fallback)

Java:

• pom.xml (Maven)
• build.gradle (Gradle)

Go:

• go.mod (Go modules)

Scan Results

Each scan result includes:

• Total packages scanned
• Risk breakdown (high, medium, low, unknown counts)
• Copyleft package count
• Compliance status
• Per-package details: package name, version, license ID, SPDX ID, risk level, copyleft status, and OSI approval

Additional Resources

• OWASP Top 10: https://owasp.org/www-project-top-ten/
• CWE Database: https://cwe.mitre.org/
• CVE Database: https://cve.mitre.org/
• NIST NVD: https://nvd.nist.gov/