• Tools
  • Features
  • Resources

Introduction

Getting Started

Platform Features

Scanning
AI Analysis
Code Scanning (SAST)
OverviewGit integrationTrigger a code scanIssues & severitySecurity hotspotsDependency vulnsQuality gates
Reports
Dashboard & Analytics

Developer Reference

REST API
CLI Reference
CI/CD Integration
Tool Tactics
⌘K

On this page

OverviewGit integrationTrigger a code scanIssues & severitySecurity hotspotsDependency vulnsQuality gates
Powered by SonarQube

Code Scanning (SAST)

Run Static Application Security Testing (SAST) directly against your source code repositories. Find vulnerabilities, code smells, security hotspots, and dependency vulnerabilities before they reach production.

Overview

Code Scanning runs directly against your source code — not against runtime targets like the other scan modes. It connects to your Git repository, clones the code, and analyzes it with SonarQube engines.

What it finds

  • Bugs — logic errors that could crash or misbehave
  • Vulnerabilities — exploitable security weaknesses (SQLi, XSS, etc.)
  • Code smells — maintainability issues
  • Security hotspots — code requiring manual review
  • Dependency vulns — CVEs in third-party packages you depend on

Git integration

Before running a code scan, connect your Git account to Auto-Offensive. The platform supports GitHub and GitLab.

OAuth or Personal Access Token
Connect via OAuth for typical repository access, or use a Personal Access Token (PAT) for private repositories requiring explicit scopes (repo, read:org).

Trigger a code scan

Submit a code scan via REST API or Web UI. The scan targets a specific branch, commit, or pull request.

How to use via UI

  1. Navigate to the 'Code Scanning' page from the sidebar.
  2. Select your Repository from the list.
  3. Select the Branch you want to scan (e.g., main).
  4. Click the 'Start Scan' button.

Track progress

Tracking via UI

  1. You will see the scan Status change (Pending -> Running -> Completed).
  2. You can click 'View Logs' to watch the live scanning process.

Issues & severity

When a scan completes, it produces issues classified by type and severity.

SeverityMeaningAction
BLOCKERMost severe bugFix immediately
CRITICALBug or vuln very harmfulFix before release
MAJORImportant quality issuePlan to fix
MINORLess important quality issueTeam review
INFOFor information onlyNo action required

Fetching issues

Viewing issues via UI

  1. When the scan completes, go to the 'Issues' tab.
  2. You can use filters to view by Severity (CRITICAL, MAJOR...).
  3. Click on any issue to see the code line and fix instructions.

Security hotspots

Security hotspots are code lines that warrant manual review — not confirmed vulnerabilities, but patterns that could be problematic if used incorrectly.

Hotspot ≠ Vulnerability
Hotspots say "show me this," not "I found it." Example: usage of SecureRandom() — not a bug, but worth reviewing to make sure it's used correctly.

Reviewing via UI

  1. Go to the 'Security Hotspots' tab.
  2. Review each hotspot and mark it as 'Safe' or 'Vulnerable'.

Dependency vulnerabilities

Auto-Offensive includes dependency scanners that check third-party packages for known CVEs. It runs different scanners depending on the language:

LanguageScannerManifest
Gogovulncheckgo.mod / go.sum
Pythonpip-auditrequirements.txt / pyproject.toml
JavaScript / Nodenpm auditpackage.json / package-lock.json
Java / Mavendependency-checkpom.xml

Results via UI

  1. Go to the 'Dependencies' tab.
  2. You will see a list of outdated or vulnerable packages.
  3. The system will recommend the Version you should update to.

Quality gates

Quality gates are rules that determine if a scan passes or fails. For example: "no CRITICAL vulnerabilities" or "code coverage > 80%". Auto-Offensive reports the quality gate result directly in the scan summary.

Checking via UI

  1. In the Summary page, you will see a large badge showing 'Passed' or 'Failed'.
  2. If it fails, it will list the conditions that were not met (e.g., Coverage too low).
Use in CI/CD
Your pipelines can poll the quality gate and fail the build if the gate fails. See the CI/CD Integration docs for a full example.
Previous
AI Analysis
Next
Reports