Implementing Security Scanning

Request early access

This page describes features that are in private beta. Request early access to get them sooner.

With Qlty, you can set up comprehensive, automated security scanning in minutes with three steps.

Enabling scanners

Getting started with security scanning is as easy as enabling plugins in your project’s .qlty/qlty.toml configuration file.

For example, to enable Trufflehog for secrets scanning and allow newly detected secrets from blocking merging code, add this:

1# ...
2
3[[plugin]]
4name = "trufflehog"
5mode = "block"
6
7# ...

Other types of security issues, like vulnerable open source packages, may be better handled with a dedicated process outside of the regular day-to-day pull request workflow. To run OSV Scanner to find vulnerable dependencies and report them on the Qlty.sh website, enable the plugin in “monitor” mode:

1[[plugin]]
2name = "osv-scanner"
3mode = "monitor"

Qlty offers a continuously expanding set of security scanning plugins for different programming languages, frameworks, and infrastructure tools. Please review our available plugins for the latest information.

Review and triage issues

Security scanners find issues which may indicate a risk or vulnerability. These issues can be reviewed on the “Issues” tab within your Project, which can be filtered to the Vulnerability issue category.

When reviewing findings, the first step is validating that the reported issue is a true positive. This needs to be done carefully, as sometimes a human developer may inaccurately dismiss a real vulnerability.

For true positives, the next steps generally involve creating a ticket in a project management tool like Jira or GitHub Issues, and fixing it immediately or running it through a prioritization process.

For issues that are not valuable, you can ignore them through either your project configuration file or from within the Qlty web applicaiton.

A note about false positives

All static analysis for security scanning has some level of false positives. Our goal is to ensure a false positive rate below 5% to ensure a good signal-to-noise ratio in your results.

If you are receiving false positive security findings, please contact us, as we may be able to assist.

More information

  • Available plugins
  • Ignoring issues
  • Full qlty.toml reference