Code Security
Find it, prioritize it by real exploitability, gate the release, and open the fix PR.
What this replaces
Application security findings pile up in scanner outputs nobody owns: unreachable dependency CVEs drown the exploitable ones, secrets slip through, and 'did we ship it anyway?' has no auditable answer.
What Offload does
Repository and uploaded-code scanning across every layer — static analysis, dependencies, secrets, infrastructure-as-code, and supply chain — turned into governed, auditable release decisions with fix automation.
What you get
- SAST (OpenGrep, Bandit, optional SonarQube) with in-context code excerpts on every finding
- SCA backed by OSV.dev and Grype, enriched with CISA KEV and EPSS on every finding
- Known-malicious package detection (OpenSSF MAL advisories) and typosquat detection — both can block release
- Import-level reachability classification to cut dependency noise (advisory; never weakens the gate)
- Secrets detection with Gitleaks (~150 curated rules + entropy), fingerprinted and triageable
- IaC scanning with Checkov: Terraform, CloudFormation, Kubernetes, Dockerfile, Helm
- Deterministic, versioned release gates enforceable as required GitHub commit statuses
- Automated fix pull requests — pushed to a dedicated fix branch, never the base branch
- Governed triage: risk acceptance with owner/justification/expiry; false positives with reviewer evidence
- GitHub and Bitbucket with encrypted tokens; ZIP upload for air-gapped code; CI/CD API keys
How it works
Repositories are shallow-cloned into an isolated, scan-scoped workspace with hardened git settings; scanners run locally and the workspace is deleted when the scan completes — on success and on failure. Only findings and small per-finding code excerpts are retained, never the source tree.
Release-gate evaluation is deterministic and policy-versioned: the same scan against the same policy always yields the same pass/review/fail decision, with blocking rule identifiers recorded — an audit-defensible answer to 'why did this ship?'.
One platform, one risk view
Code findings share the unified vulnerability queue, mint supply-chain and license violations into the risk register, and appear alongside cloud and Kubernetes findings in a single per-repository report.