🚧 DevGuard & this page is under active development. Visit the DevGuard Repo →

Scan Source Code

Scan your source code for security issues, bad practices, and leaked secrets. DevGuard detects first-party vulnerabilities in your own code using multiple analysis techniques.

Prerequisites

Before you begin, ensure you have:

Docker installed on your system
A personal access token from DevGuard (create one in user settings)
A repository created in DevGuard

Scan Source Code

Run Static Application Security Testing (SAST) to identify security vulnerabilities and bad practices in your source code:

docker run -v "$(PWD):/dev/app" ghcr.io/l3montree-dev/devguard/scanner:main-latest \
  devguard-scanner sast \
    --path /dev/app/ \
    --assetName="myorg/projects/myproject/assets/myrepo" \
    --apiUrl="https://api.devguard.org" \
    --token="YOUR_TOKEN"

SAST uses Semgrep to analyze your code for potential security issues without executing it.

Scan your repository for accidentally committed secrets like API keys, passwords, and tokens:

docker run -v "$(PWD):/dev/app" ghcr.io/l3montree-dev/devguard/scanner:main-latest \
  devguard-scanner secret-scanning \
    --path /dev/app/ \
    --assetName="myorg/projects/myproject/assets/myrepo" \
    --apiUrl="https://api.devguard.org" \
    --token="YOUR_TOKEN"

⚠️

Secret scanning should be run regularly to detect accidental secrets before they are exposed publicly.

Scan Infrastructure as Code (IaC) files for misconfigurations and security issues:

docker run -v "$(PWD):/dev/app" ghcr.io/l3montree-dev/devguard/scanner:main-latest \
  devguard-scanner iac \
    --path /dev/app/ \
    --assetName="myorg/projects/myproject/assets/myrepo" \
    --apiUrl="https://api.devguard.org" \
    --token="YOUR_TOKEN"

IaC scanning detects misconfigurations in your Terraform, Kubernetes, and other infrastructure definitions.

Replace myorg/projects/myproject/assets/myrepo with your repository’s slug. You can copy this from the URL when viewing your repository in the DevGuard UI.

What the Scanner Does

Analyzes Source Code: Scans your repository for security vulnerabilities, bad practices, and secrets
Generates SARIF Report: Creates a structured Security Analysis Results Format (SARIF) report with findings
Uploads Results: Sends the SARIF report to DevGuard
Server-Side Processing: DevGuard processes and normalizes the findings for consistent tracking

Verify it worked: Navigate to your repository in DevGuard. You’ll see detected vulnerabilities listed with severity levels, locations in your code, and remediation guidance.

CI/CD Integration

For automated source code scanning in CI/CD pipelines, DevGuard provides ready-to-use integrations:

GitHub Actions: See Scan with GitHub Actions for setup instructions
GitLab CI: See Scan with GitLab CI for setup instructions

Advanced Options

Fail the command based on risk level:

--failOnRisk=critical  # Options: low, medium, high, critical (default: critical)
--failOnCVSS=critical  # Options: low, medium, high, critical (default: critical)

Set a custom origin to track scan source:

--origin="my-custom-origin"  # Default is "DEFAULT"

Specify Git reference information:

--ref="feature-branch"         # Git reference (branch, tag, or commit). Default is "main"
--defaultRef="main"            # Default Git reference to use. Default is "main"
--isTag=true                   # Indicates if the reference is a tag. Default is false

These flags help DevGuard track which branch or tag the scan is associated with. DevGuard will attempt to auto-detect Git information from the current directory if these flags are not specified.

Scan OCI Images Scan Dependencies