With Qlty, you can set up comprehensive, automated security scanning in minutes with three steps.Documentation Index
Fetch the complete documentation index at: https://docs.qlty.sh/llms.txt
Use this file to discover all available pages before exploring further.
Enabling scanners
Getting started with security scanning is as easy as enabling plugins in your project’s.qlty/qlty.toml configuration file.
For example, to enable Trufflehog for secrets scanning and allow newly detected secrets from blocking merging code, add this:
Review and triage issues
Security scanners find issues which may indicate a risk or vulnerability. These issues can be reviewed on the “Issues” tab within your Project, which can be filtered to the Vulnerability issue category. When reviewing findings, the first step is validating that the reported issue is a true positive. This needs to be done carefully, as sometimes a human developer may inaccurately dismiss a real vulnerability. For true positives, the next steps generally involve creating a ticket in a project management tool like Jira or GitHub Issues, and fixing it immediately or running it through a prioritization process. For issues that are not valuable, you can ignore them through either your project configuration file or from within the Qlty web applicaiton.A note about false positives
All static analysis for security scanning has some level of false positives. Our goal is to ensure a false positive rate below 5% to ensure a good signal-to-noise ratio in your results. If you are receiving false positive security findings, please contact us, as we may be able to assist.More information
- Available plugins
- Ignoring issues
- Full
qlty.tomlreference