Find vulnerabilities
before they ship
Scan your source code for security issues with Semgrep-powered SAST and audit dependencies with SCA. Connect your GitHub, GitLab, or Bitbucket repos in one click.
No credit card required. Free plan available forever.
Find vulnerabilities in code before they reach production
Code scanning catches security issues at the source. Instead of waiting for vulnerabilities to surface in a running application, SecPortal analyses your source code directly using Semgrep-powered SAST and package-manager-native SCA. Connect your GitHub, GitLab, or Bitbucket repositories and scan any branch with a single click.
Every scan runs inside an isolated Docker container. The repository is cloned, analysed, and the container is destroyed — no source code is stored on disk after the scan completes. Results include file paths, line numbers, and actionable remediation guidance that developers can act on immediately.
Two complementary scan engines
SAST — Static Analysis
Semgrep-powered static analysis that scans your source code for security vulnerabilities, insecure patterns, and coding mistakes. Supports Python, JavaScript, TypeScript, Go, Java, Ruby, and more.
- Semgrep rule engine with community and pro rulesets
- Detects injection flaws, hardcoded secrets, insecure cryptography, and unsafe deserialization
- Language-aware analysis understands framework-specific patterns
- Low false-positive rate compared to traditional regex-based scanners
- Runs inside an isolated Docker container with no outbound network access
SCA — Dependency Auditing
Audit your project dependencies for known vulnerabilities using package-manager-native tools. Catches vulnerable libraries before they reach production.
- npm audit for JavaScript and TypeScript projects
- pip-audit for Python projects
- govulncheck for Go modules
- CVE correlation against the National Vulnerability Database
- Severity mapping from advisory data to CVSS scores
One-click Git provider integration
Connect your source code repositories through OAuth — no personal access tokens or SSH keys to configure. SecPortal stores the OAuth connection securely and refreshes tokens automatically so your scans always have access.
GitHub
Connect via OAuth and scan any repository you have access to, including private repos and organisation repositories
GitLab
OAuth integration with GitLab.com and self-hosted GitLab instances for full repository access
Bitbucket
Connect your Bitbucket Cloud workspace and scan repositories across all your projects
How a code scan works
- Connect your Git provider with one-click OAuth — no tokens to manage manually
- Select a repository and branch to scan from the integrated repository browser
- SecPortal clones the repository into an isolated container with no persistent storage
- SAST and SCA modules run in parallel against the cloned source code
- Findings are extracted, deduplicated, and mapped to severity levels
- Results appear in your dashboard with file paths, line numbers, and remediation guidance
- Link code scan findings to engagements for unified reporting across all scan types
Related use cases
Shift security left
Connect your first repository and run a code scan in under two minutes.
No credit card required. Free plan available forever.