Security in SourceCraft
Many incidents related to secret leaks are caused by repository configuration errors. The number of CVEs increases every year. DevOps cycles have accelerated to make manual security checks inefficient and expensive.
SourceCraft combines code management, CI/CD , and built-in security tools. They are designed to ensure reliable and secure development processes. This helps you build stable and secure products.
By default, SourceCraft includes the Secret Scanning and Supply Chain features you can use to detect risks associated with leaks of secrets in code and risks of exploitation of vulnerabilities in dependencies used in software development.
Secret Scanning: Searching for secrets in commit history
Secret Scanning is a tool that checks every commit in the repository history for sensitive data contained in the code, e.g., API keys, tokens, certificates, and other secrets.
The scanning relies on a signature engine used to look for patterns matching the strings used in various secrets. Detected code fragments are displayed in the repository under Security in the Secret Scanning section.
For each secret found, the following information will be provided:
- Secret type.
- Commit ID and last detection time.
- Path to the file and the code snippet containing the secret.
- Incident status: Open or Resolved.
- False positive mark (if any).
For more information, see Secret Scanning in a SourceCraft repository.
Supply Chain security: Dependency analysis
SourceCraft features dependency analysis (Software Composition Analysis, SCA) for dependencies used in repositories.
SCA is a set of tools offering insights on dependencies used in the software development process and known vulnerabilities in them.
SCA automatically builds a Software Bill of Materials (SBOM) – a list of all the project's dependencies including transitive ones – and cross-references them with current CVE databases.
The SCA output includes critical vulnerability incidents, update recommendations, license reports, and, where needed, automatic pull requests with secure versions. The tool runs in the background without loading CI/CD and providing developers and security teams with a transparent and manageable environment for working with Open Source. Detected vulnerabilities are displayed in the repository under Security in the Dependencies section.
For each vulnerability found, the following information will be provided:
- CVE ID, package name and current version.
- Color code of the detected issue's severity level.
- Incident status: Open or Resolved.
- False positive mark (if any).
For more information, see Analyzing vulnerabilities in SourceCraft repository dependencies.