Feature

Find vulnerabilities
before they ship

Scan your source code for security issues with Semgrep-powered SAST and audit dependencies with SCA. Connect your GitHub, GitLab, or Bitbucket repos in one click.

Get Started Free

No credit card required. Free plan available forever.

Find vulnerabilities in code before they reach production

Code scanning catches security issues at the source. Instead of waiting for vulnerabilities to surface in a running application, SecPortal analyses your source code directly using Semgrep-powered SAST and package-manager-native SCA. Connect your GitHub, GitLab, or Bitbucket repositories and scan any branch with a single click.

Every scan runs inside an isolated Docker container. The repository is cloned, analysed, and the container is destroyed; no source code is stored on disk after the scan completes. Results include file paths, line numbers, and actionable remediation guidance that developers can act on immediately.

Two complementary scan engines

SAST: Static Analysis

Semgrep-powered static analysis that scans your source code for security vulnerabilities, insecure patterns, and coding mistakes. Supports Python, JavaScript, TypeScript, Go, Java, Ruby, and more.

Semgrep rule engine with community and pro rulesets
Detects injection flaws, hardcoded secrets, insecure cryptography, and unsafe deserialization
Language-aware analysis understands framework-specific patterns
Low false-positive rate compared to traditional regex-based scanners
Runs inside an isolated Docker container with no outbound network access

SCA: Dependency Auditing

Audit your project dependencies for known vulnerabilities using package-manager-native tools. Catches vulnerable libraries before they reach production.

npm audit for JavaScript and TypeScript projects
pip-audit for Python projects
govulncheck for Go modules
CVE correlation against the National Vulnerability Database
Severity mapping from advisory data to CVSS scores

One-click Git provider integration

Connect your source code repositories through OAuth, with no personal access tokens or SSH keys to configure. SecPortal stores the OAuth connection securely and keeps the token rotated server-side so your scans always have access. The detailed connection model lives in the dedicated repository connections feature page, which covers per-tenant OAuth apps, encrypted token storage, the connected_repos allow-list, and the activity-log audit trail.

GitHub

Connect via OAuth and scan any repository you have access to, including private repos and organisation repositories

GitLab

OAuth integration with GitLab.com and self-hosted GitLab instances for full repository access

Bitbucket

Connect your Bitbucket Cloud workspace and scan repositories across all your projects

How a code scan works

Connect your Git provider with one-click OAuth, with no tokens to manage manually
Select a repository and branch to scan from the integrated repository browser
SecPortal clones the repository into an isolated container with no persistent storage
SAST and SCA modules run in parallel against the cloned source code
Findings are extracted, deduplicated, and mapped to severity levels
Results appear in your dashboard with file paths, line numbers, and remediation guidance
Link code scan findings to engagements for unified reporting across all scan types

Secret detection and the remediation workflow that follows

SecPortal's SAST scanner runs Semgrep with the community p/secrets ruleset alongside the rest of the rule packs, so leaked credentials in source code surface as findings on the engagement record with the file path, line number, and secret category. Detection is only the first step. The secret scanning remediation workflow covers the lifecycle that follows: triage into live secret, fixture, or false positive; rotation at the issuing system before any code change; revocation of the old value with verification that it no longer authenticates; the documented decision on history cleanup; and the follow-up scan that confirms the closure.

How code scanning compares to other code-security platforms

If the evaluation is between SecPortal code scanning and a dedicated code-security platform, the comparisons below cover the same buying decision from different angles.

SecPortal vs GitHub Advanced Security for the GitHub-native CodeQL and secret-scanning comparison.
SecPortal vs Snyk for the developer-tool, multi-source SCA comparison.
SecPortal vs Semgrep for the open-source SAST engine comparison (Semgrep powers SecPortal SAST).
SecPortal vs DefectDojo for the self-hosted OSS appsec orchestration comparison.

Code scanning and the SBOM picture

For programmes operating a software bill of materials pipeline alongside their scanner stack, SecPortal SCA produces the per-component CVE picture that an SBOM-driven scan would produce against the same repository, with severity, evidence, and lifecycle on the engagement record. Our SBOM guide covers the SPDX and CycloneDX formats, the NTIA minimum elements, the role of VEX, the EO 14028 / NIS2 / DORA / FDA expectations, and how SBOM-derived findings flow through the same vulnerability lifecycle that scanner-led findings travel. The companion VEX guide covers the exploitability assertion layer that suppresses the SBOM-derived false positives the SCA pipeline would otherwise route to the vulnerability management queue.

Related use cases

DevSecOps scanning

Security code reviews

Shift security left

Connect your first repository and run a code scan in under two minutes.