Skip to main content

Creating a Code Vulnerability Scan

Overview

Learn how to configure and run a Code Vulnerability Scan in DeepTraQ to identify security risks in your source code repositories. This scan detects open-source dependency vulnerabilities, Infrastructure as Code (IaC) misconfigurations, secrets, and language-specific issues using Google OSV.

DeepTraQ supports repository-based scanning with optional AI-powered remediation insights and flexible scheduling for continuous monitoring.

Supported Platforms

  • GitHub
  • GitLab
  • Bitbucket

Supported Languages and Ecosystems

Refer to Supported Languages.

Prerequisites

  • DeepTraQ Code Scanning access
  • Repository read access
  • Personal Access Token (PAT) for GitHub, GitLab, or Bitbucket (required for private repositories)
  • Open-source/public repositories can be scanned without a PAT
  • (Optional) Environment configured for policy mapping

Refer to the Integrations guide for steps to generate Personal Access Tokens.

Limitations

  • Only one repository can be scanned per scan
  • Private repositories require a PAT with appropriate scopes

Steps

  1. Navigate to Code Vulnerabilities → Create Scan

  2. Enter a Scan Name and Description

  3. Select your Version Control Provider

  4. Add the Repository and press Enter to confirm

  5. Choose the Environment to apply relevant security policies

  6. Configure Authentication using a Personal Access Token

  7. Select the Scanner Types based on your requirements

    • Open Source Vulnerabilities
    • IaC Misconfiguration
    • Google OSV
    • Secret Scan

  8. Configure AI Reporting

    • Enable for actionable AI remediation insights
    • Disable for standard results

  9. Configure Scheduling

    • Run immediately
    • Schedule for later
    • Enable periodic scanning for continuous monitoring

  10. Click Launch Scan

All created scans will appear in the scans list. Use the Run button to trigger scans manually at any time.

Scanner Options

  • Open Source Vulnerabilities – Detects known CVEs in third-party dependencies
  • IaC Misconfiguration – Identifies security issues in Terraform, CloudFormation, Kubernetes manifests, and similar files
  • Google OSV – Provides language-specific vulnerability detection using the OSV database
  • Secret Scan – Detects hardcoded credentials, API keys, and tokens

AI Reporting

When enabled, AI will:

  • Correlate findings
  • Provide risk context
  • Suggest remediation steps
  • Generate actionable summaries

If disabled, standard scan results will be displayed without AI insights.

Scheduling Options

  • Run Now – Executes the scan immediately
  • Scheduled – Runs the scan at a specified date and time
  • Periodic – Continuously scans at defined intervals to detect newly disclosed vulnerabilities

Periodic scans are recommended for active repositories.

Field Reference

FieldDescriptionExample
Scan NameUnique identifier for the scanbackend-sca-scan
DescriptionPurpose of the scanDetect OSS and secrets in payment service
VCS ProviderSource control platformGitHub
RepositoryTarget repository name or URLdeeptraq/backend-api
EnvironmentPolicy contextProduction
PAT TokenAuthentication credential for repository accessghp_xxxxx
Scanner TypesSelected security checksOSS, Secrets, OSV
AI ReportingEnable or disable AI insightsEnabled
ScheduleScan timing configurationPeriodic – Daily

Viewing Results

After completion:

  • Findings are listed with severity, file path, and remediation guidance
  • AI summaries are shown when AI reporting is enabled
  • Total findings count is displayed for quick assessment

Example: 20 findings identified.