Glossary
Reference for all abbreviations and technical terms used in CodeStax.
Security Terms
SAST — Static Application Security Testing
Analysis of source code to find security vulnerabilities without executing the program. CodeStax runs SAST on every scan, covering 30+ languages with OWASP and CWE pattern matching.
SCA — Software Composition Analysis
Identification of known vulnerabilities in third-party dependencies and open-source libraries. CodeStax’s SCA engine scans package manifests (package.json, requirements.txt, pom.xml, etc.) across 9 ecosystems.
IaC — Infrastructure as Code
Configuration files that define cloud infrastructure (Terraform, Kubernetes manifests, CloudFormation templates, Dockerfiles). CodeStax scans IaC files for misconfigurations and security issues.
CVE — Common Vulnerabilities and Exposures
A standardized identifier for publicly known security vulnerabilities. Format: CVE-YYYY-NNNNN (e.g., CVE-2024-1234). Each CVE is cataloged in the National Vulnerability Database.
CWE — Common Weakness Enumeration
A categorization system for software security weaknesses. Unlike CVEs (which are specific instances), CWEs describe classes of vulnerabilities (e.g., CWE-89: SQL Injection, CWE-79: Cross-Site Scripting).
CVSS — Common Vulnerability Scoring System
A standardized framework for rating vulnerability severity on a 0-10 scale:
| Score | Rating |
|---|---|
| 9.0-10.0 | Critical |
| 7.0-8.9 | High |
| 4.0-6.9 | Medium |
| 0.1-3.9 | Low |
| 0.0 | None |
EPSS — Exploit Prediction Scoring System
A probability score (0-1.0) predicting how likely a vulnerability is to be exploited in the wild within the next 30 days. An EPSS of 0.95 means 95% probability of exploitation. CodeStax uses EPSS alongside CVSS for prioritization.
KEV — Known Exploited Vulnerabilities
A catalog maintained by CISA (Cybersecurity and Infrastructure Security Agency) listing vulnerabilities that are confirmed to be actively exploited. KEV-listed vulnerabilities should be patched immediately.
OWASP — Open Worldwide Application Security Project
A nonprofit organization that produces security standards and guides. The OWASP Top 10 is the most widely referenced list of web application security risks.
Supply Chain Terms
SBOM — Software Bill of Materials
A comprehensive inventory of all software components, dependencies, and their versions in a project. Formats include SPDX and CycloneDX. Required by some regulatory frameworks for supply chain transparency.
VEX — Vulnerability Exploitability eXchange
A document that communicates whether a product is affected by a specific vulnerability. VEX complements SBOMs by clarifying which vulnerabilities in dependencies actually impact your application.
Code Quality Terms
AST — Abstract Syntax Tree
A tree representation of source code structure used by static analysis tools. CodeStax uses AST parsing to understand code relationships, function calls, and data flow for accurate vulnerability detection.
MI Index — Maintainability Index
A composite metric (0-100) measuring how maintainable code is, calculated from cyclomatic complexity, lines of code, and Halstead volume. Higher is better. Values above 65 indicate good maintainability.
Compliance & Governance Terms
RBAC — Role-Based Access Control
An access control model where permissions are assigned to roles (VIEWER, MEMBER, ORG_ADMIN, ORG_OWNER) rather than individual users. Each user is assigned a role that determines what they can view and do.
SOC 2
A compliance framework developed by the AICPA that evaluates an organization’s controls related to security, availability, processing integrity, confidentiality, and privacy. CodeStax maps scan findings to SOC 2 Trust Services Criteria.
ISO 27001
An international standard for information security management systems (ISMS). CodeStax maps findings to Annex A controls covering technical vulnerability management, secure development, and compliance.
Engineering Metrics
DORA — DevOps Research and Assessment
A set of four metrics that measure software delivery performance:
- Deployment Frequency — how often code reaches production
- Lead Time for Changes — time from commit to production
- Change Failure Rate — percentage of deployments causing failures
- Mean Time to Recovery — time to restore service after failure
CodeStax adapts these metrics for security: Review Frequency, Lead Time to Review, Change Failure Rate (security issues), and Mean Time to Review.
SARIF — Static Analysis Results Interchange Format
A JSON-based standard for representing static analysis tool output. CodeStax can import and export results in SARIF format for interoperability with other tools (e.g., GitHub Code Scanning, VS Code).
Other Terms
Quality Gate
A set of conditions that must be met for a scan or PR review to pass. Conditions include maximum severity thresholds, risk scores, and secret detection. Failed gates can block PR merges when enforced.
Vibe Coding
A term for AI-generated code that was accepted without thorough review. CodeStax detects vibe coding patterns such as placeholder implementations, excessive TODO markers, overly generic error handling, and inconsistent naming.
Risk Score
A 0-100 score assigned to each PR review, calculated from a weighted combination of security vulnerabilities (35%), secrets (25%), data handling (15%), code quality (15%), and architecture (10%).
Blast Radius
The scope of impact from a code change. CodeStax analyzes which downstream files, APIs, and services are affected by changes in a PR to help reviewers understand the potential impact of introducing a vulnerability.