Scan Source Code
Scan your source code for security issues, bad practices, and leaked secrets. DevGuard detects first-party vulnerabilities in your own code using multiple analysis techniques.
Prerequisites
Before you begin, ensure you have:
- Docker installed on your system
- A personal access token from DevGuard (create one in user settings)
- A repository created in DevGuard
Scan Source Code
Run Static Application Security Testing (SAST) to identify security vulnerabilities and bad practices in your source code:
What the Scanner Does
- Analyzes Source Code: Scans your repository for security vulnerabilities, bad practices, and secrets
- Generates SARIF Report: Creates a structured Security Analysis Results Format (SARIF) report with findings
- Uploads Results: Sends the SARIF report to DevGuard
- Server-Side Processing: DevGuard processes and normalizes the findings for consistent tracking
Verify it worked: Navigate to your repository in DevGuard. You'll see detected vulnerabilities listed with severity levels, locations in your code, and remediation guidance.
CI/CD Integration
For automated source code scanning in CI/CD pipelines, DevGuard provides ready-to-use integrations:
- GitHub Actions: See Scan with GitHub Actions for setup instructions
- GitLab CI: See Scan with GitLab CI for setup instructions
Advanced Options
Fail the command based on risk level:
Set a custom origin to track scan source:
Specify Git reference information: