Skip to Content
ScanningScanner Details

Scanner Details

CodeStax uses industry-leading open-source security scanners, each specialized for a different aspect of code security.

Semgrep — SAST

Type: Static Application Security Testing Languages: 30+ including Python, JavaScript, TypeScript, Java, Go, Ruby, PHP, C#, Kotlin, Swift, Rust, and more

Semgrep performs pattern-based static analysis to find vulnerabilities in your source code.

What It Finds

  • Injection flaws — SQL injection, XSS, command injection, LDAP injection
  • Authentication issues — Hardcoded credentials, weak password handling
  • Cryptographic failures — Weak algorithms, insecure random, missing encryption
  • Access control — Path traversal, insecure direct object references
  • Security misconfigurations — Debug mode enabled, verbose error handling
  • OWASP Top 10 — Full coverage of the most critical web application security risks

Rule Coverage

  • OWASP Top 10 rules
  • CWE (Common Weakness Enumeration) mapped rules
  • Language-specific security patterns

Trivy — SCA

Type: Software Composition Analysis Ecosystems: npm, pip, Maven, Gradle, Go modules, Cargo, Composer, RubyGems, NuGet

Trivy scans your dependency manifests to find known vulnerabilities (CVEs) in third-party packages.

What It Finds

  • Known CVEs — Vulnerabilities published in the National Vulnerability Database
  • Outdated packages — Dependencies with newer versions available
  • License issues — Dependencies with incompatible or copyleft licenses
  • Transitive dependencies — Vulnerabilities in packages your dependencies depend on

Supported Files

  • package.json / package-lock.json / yarn.lock
  • requirements.txt / Pipfile.lock / poetry.lock
  • pom.xml / build.gradle
  • go.sum / go.mod
  • Cargo.lock
  • composer.lock
  • Gemfile.lock
  • *.csproj / packages.config

Gitleaks — Secret Detection

Type: Credential and secret scanning

Gitleaks scans your repository for accidentally committed secrets.

What It Finds

  • API keys — AWS, GCP, Azure, Stripe, Twilio, SendGrid, etc.
  • Passwords — Hardcoded passwords in configuration files
  • Tokens — OAuth tokens, JWTs, personal access tokens
  • Private keys — SSH keys, TLS certificates
  • Database URLs — Connection strings with embedded credentials

Smart Filtering

CodeStax applies additional filtering on top of Gitleaks to reduce false positives:

  • Placeholder detection — Ignores values like YOUR_API_KEY, xxx, changeme
  • Test file exclusion — Skips mock data in test files
  • Example file filtering — Ignores .example and .sample files

Checkov — IaC Scanning

Type: Infrastructure-as-Code security

Checkov scans your infrastructure configuration files for security misconfigurations.

Supported Formats

FormatFile Types
Terraform.tf, .tfvars
KubernetesYAML manifests, Helm charts
CloudFormationJSON/YAML templates
DockerfileDockerfile
Docker Composedocker-compose.yml
ARM TemplatesAzure Resource Manager

What It Finds

  • Open security groups — Unrestricted inbound/outbound rules
  • Unencrypted storage — S3 buckets, EBS volumes without encryption
  • Public access — Resources exposed to the internet
  • Missing logging — CloudTrail, access logs not enabled
  • Weak IAM policies — Overly permissive roles and policies

Hadolint — Container Security

Type: Dockerfile linting and security analysis

What It Finds

  • Insecure base images — Using latest tag, non-official images
  • Running as root — Missing USER directive
  • Package pinning — Unpinned apt-get install commands
  • Layer optimization — Best practices for Docker layer caching
  • Security best practicesCOPY vs ADD, health checks, signal handling
Smart vs Deep ScansUnderstanding Results