Code Security Scanning
Overview
Code Security scans your connected repositories for security issues such as hardcoded secrets, API keys, and other vulnerabilities in your source code. Findings are presented with their file path, category, repository, and criticality.
Repository Integration
Supported Platforms
| Platform | Features |
|---|---|
| GitHub | Full integration |
| GitLab | Full integration |
| Bitbucket | Full integration |
| Azure DevOps | Full integration |
Connecting Repositories
- Navigate to Code → Code Security
- Click Connect Repository
- Select platform
- Authorize Bastion
- Select repositories to monitor
Repository Permissions
Bastion requires:
- Read access to code
- Read access to package manifests
- Webhook permissions (optional)
Scanning
What We Detect
| Category | Examples |
|---|---|
| Secrets | API keys, tokens, passwords, private keys |
| Credentials | Database connection strings, cloud credentials |
| Configuration | Insecure settings, debug flags in production |
| Vulnerabilities | Known vulnerability patterns in source code |
Scan Process
- Repository code is analyzed
- Files are checked against detection rules
- Findings are categorized and rated by criticality
- Results are presented in the Code Security table
Scan Schedule
Scans run:
- Monthly scheduled scan
- Manual trigger via the Rescan button
Viewing Results
Code Security Table
Each finding includes:
| Column | Description |
|---|---|
| Path | File path where the issue was found |
| Category | Type of security issue |
| Repo | Repository name |
| Detection Date | When the issue was discovered |
| Criticality | Severity rating |
Finding Details
Click on a finding to view:
- Full file path and location
- Issue description and category
- Criticality level
- Remediation guidance
Remediation
Workflow
| Action | When to Use |
|---|---|
| Fix | Remove or rotate the exposed secret |
| Rotate | Generate new credentials and revoke old ones |
| Accept | Risk accepted (documented) |
Best Practices
Rotate Exposed Secrets Immediately
When a secret is found in code, rotate it immediately — even if the repository is private.
Use Environment Variables
Store secrets in environment variables or a secrets manager, never in source code.
Enable Pre-commit Hooks
Use pre-commit hooks to prevent secrets from being committed in the first place.
Monitor All Repositories
Include all repositories, even internal tools and scripts.
Compliance Evidence
Code security scanning supports:
| Framework | Requirement |
|---|---|
| SOC 2 | CC6.1 |
| ISO 27001 | A.14.2.5 |