Platform / Code Security

Code Security

Find it, prioritize it by real exploitability, gate the release, and open the fix PR.

The problem

What this replaces

Application security findings pile up in scanner outputs nobody owns: unreachable dependency CVEs drown the exploitable ones, secrets slip through, and 'did we ship it anyway?' has no auditable answer.

The solution

What Offload does

Repository and uploaded-code scanning across every layer — static analysis, dependencies, secrets, infrastructure-as-code, and supply chain — turned into governed, auditable release decisions with fix automation.

Capabilities

What you get

  • SAST (OpenGrep, Bandit, optional SonarQube) with in-context code excerpts on every finding
  • SCA backed by OSV.dev and Grype, enriched with CISA KEV and EPSS on every finding
  • Known-malicious package detection (OpenSSF MAL advisories) and typosquat detection — both can block release
  • Import-level reachability classification to cut dependency noise (advisory; never weakens the gate)
  • Secrets detection with Gitleaks (~150 curated rules + entropy), fingerprinted and triageable
  • IaC scanning with Checkov: Terraform, CloudFormation, Kubernetes, Dockerfile, Helm
  • Deterministic, versioned release gates enforceable as required GitHub commit statuses
  • Automated fix pull requests — pushed to a dedicated fix branch, never the base branch
  • Governed triage: risk acceptance with owner/justification/expiry; false positives with reviewer evidence
  • GitHub and Bitbucket with encrypted tokens; ZIP upload for air-gapped code; CI/CD API keys
Under the hood

How it works

Repositories are shallow-cloned into an isolated, scan-scoped workspace with hardened git settings; scanners run locally and the workspace is deleted when the scan completes — on success and on failure. Only findings and small per-finding code excerpts are retained, never the source tree.

Release-gate evaluation is deterministic and policy-versioned: the same scan against the same policy always yields the same pass/review/fail decision, with blocking rule identifiers recorded — an audit-defensible answer to 'why did this ship?'.

One platform, one risk view

Code findings share the unified vulnerability queue, mint supply-chain and license violations into the risk register, and appear alongside cloud and Kubernetes findings in a single per-repository report.

See Code Security on your own data.