Security Framework

Request early access

This page describes features that are in private beta. Request early access to get them sooner.

Qlty allows you to effortlessly automate all five types of static analysis security scanning and process results in a unified experience.

Application code scanning (SAST)

Application code scanning, also known as Static Application Security Testing (SAST) analyzes your source code to identify potential security vulnerabilities like SQL injection, cross-site scripting (XSS), insecure authentication, and more.

Qlty offers Semgrep for application code scanning.

Open Source vulnerabilities scanning (SCA)

Open Source vulnerabilities scanning, sometimes referred to as Software Composition Analysis (SCA), identifies security vulnerabilities in the open-source components and libraries that your application uses. This process ensures that all third-party dependencies are up-to-date and free from known vulnerabilities, thus preventing potential security risks that could arise from outdated or insecure open-source code.

Qlty offers OSV Scanner for Open Source vulnerability scanning.

Secrets scanning

Secrets scanning detects sensitive information that may be inadvertently included in your codebase, such as API keys, passwords, and other confidential data. By identifying and addressing these secrets before they reach production, you can prevent unauthorized access and potential data breaches.

Qlty offers Gitleaks and Trufflehog for secrets scanning.

CI/CD scanning

CI/CD scanning involves the automated review of your continuous integration and continuous deployment pipelines. This process ensures that your build and deployment scripts are secure and free from vulnerabilities that could be exploited during the software development lifecycle.

Qlty offers ActionLint for CI/CD scanning.

Infrastructure as Code (IaC) scanning

Infrastructure as Code (IaC) scanning analyzes your infrastructure configuration files, such as Terraform or CloudFormation scripts, to detect security vulnerabilities and misconfigurations. By ensuring that your infrastructure is securely defined and compliant with best practices, IaC scanning helps prevent potential security risks that could compromise your application’s environment.

Qlty offers Trivy, Checkov, Hadolint, and ShellCheck for IaC scanning.

Next steps