Code Quality
The code quality scanner performs static application security testing (SAST) on your source code. It identifies insecure patterns, injection vulnerabilities, and language-specific anti-patterns without executing any code. Findings are categorised by severity and mapped to CWE and OWASP references.
What it detects
Injection flaws
SQL injection, command injection, LDAP injection, and OS command execution where user input flows into sensitive operations without sanitisation.
Cross-site scripting (XSS)
Reflected, stored, and DOM-based XSS patterns across frontend frameworks and server-rendered templates.
Authentication and authorisation
Weak password policies, hardcoded credentials, session management flaws, privilege escalation paths, and broken access control patterns.
Cryptography issues
Use of weak encryption algorithms, insecure random number generation, and hardcoded cryptographic keys or salts.
Framework-specific patterns
Security misconfigurations in Django, Express.js, Spring, Rails, Vue.js, and other popular frameworks — including unsafe cookie settings, disabled CSRF protection, and misconfigured CORS.
Supported languages
The scanner supports a wide range of languages and detects issues using community-maintained rule sets that are regularly updated:
How it works
The scanner downloads the repository archive, extracts it, and runs a rule-based static analysis engine against the source code. Language detection is automatic based on file extensions. Each rule defines a pattern to match and metadata describing the vulnerability, its severity, and how to fix it.
Results include data flow information where applicable — showing how user input (the source) reaches a sensitive operation (the sink) through the code. This helps developers understand why a finding is flagged and how to remediate it.
Duplicate findings across different rules targeting the same code location are automatically deduplicated before results are published.