Code Scanning (SAST)
Run Static Application Security Testing (SAST) directly against your source code repositories. Find vulnerabilities, code smells, security hotspots, and dependency vulnerabilities before they reach production.
Overview
Code Scanning runs directly against your source code — not against runtime targets like the other scan modes. It connects to your Git repository, clones the code, and analyzes it with SonarQube engines.
What it finds
- Bugs — logic errors that could crash or misbehave
- Vulnerabilities — exploitable security weaknesses (SQLi, XSS, etc.)
- Code smells — maintainability issues
- Security hotspots — code requiring manual review
- Dependency vulns — CVEs in third-party packages you depend on
Git integration
Before running a code scan, connect your Git account to Auto-Offensive. The platform supports GitHub and GitLab.
Trigger a code scan
Submit a code scan via REST API or Web UI. The scan targets a specific branch, commit, or pull request.
How to use via UI
- Navigate to the 'Code Scanning' page from the sidebar.
- Select your Repository from the list.
- Select the Branch you want to scan (e.g., main).
- Click the 'Start Scan' button.
Track progress
Tracking via UI
- You will see the scan Status change (Pending -> Running -> Completed).
- You can click 'View Logs' to watch the live scanning process.
Issues & severity
When a scan completes, it produces issues classified by type and severity.
| Severity | Meaning | Action |
|---|---|---|
| BLOCKER | Most severe bug | Fix immediately |
| CRITICAL | Bug or vuln very harmful | Fix before release |
| MAJOR | Important quality issue | Plan to fix |
| MINOR | Less important quality issue | Team review |
| INFO | For information only | No action required |
Fetching issues
Viewing issues via UI
- When the scan completes, go to the 'Issues' tab.
- You can use filters to view by Severity (CRITICAL, MAJOR...).
- Click on any issue to see the code line and fix instructions.
Security hotspots
Security hotspots are code lines that warrant manual review — not confirmed vulnerabilities, but patterns that could be problematic if used incorrectly.
Reviewing via UI
- Go to the 'Security Hotspots' tab.
- Review each hotspot and mark it as 'Safe' or 'Vulnerable'.
Dependency vulnerabilities
Auto-Offensive includes dependency scanners that check third-party packages for known CVEs. It runs different scanners depending on the language:
| Language | Scanner | Manifest |
|---|---|---|
| Go | govulncheck | go.mod / go.sum |
| Python | pip-audit | requirements.txt / pyproject.toml |
| JavaScript / Node | npm audit | package.json / package-lock.json |
| Java / Maven | dependency-check | pom.xml |
Results via UI
- Go to the 'Dependencies' tab.
- You will see a list of outdated or vulnerable packages.
- The system will recommend the Version you should update to.
Quality gates
Quality gates are rules that determine if a scan passes or fails. For example: "no CRITICAL vulnerabilities" or "code coverage > 80%". Auto-Offensive reports the quality gate result directly in the scan summary.
Checking via UI
- In the Summary page, you will see a large badge showing 'Passed' or 'Failed'.
- If it fails, it will list the conditions that were not met (e.g., Coverage too low).