DevSecOps scanning
shift security left
Connect your Git provider, configure SAST and SCA scanning, and catch security issues before code reaches production.
No credit card required. Free plan available forever.
Integrate security scanning into your development workflow without leaving the platform
Shifting security left means catching vulnerabilities before they reach production. But most DevSecOps tools require developers to install CLI tools, configure CI pipelines, and manage yet another dashboard. For security consultancies and internal security teams, the challenge is even greater: you need to scan client repositories, track findings across multiple codebases, and deliver results in a format that developers can act on.
SecPortal provides a managed code scanning platform that connects directly to your Git provider via OAuth. Select repositories, configure SAST and SCA scanning, and review findings in the same platform where you manage engagements, track vulnerabilities, and deliver reports. No CLI installation, no pipeline configuration, no separate dashboards. Code security becomes part of your existing security workflow.
Connect your Git provider via OAuth
GitHub
OAuth integration with GitHub.com and GitHub Enterprise. Select repositories from your organisation, grant read-only access, and start scanning immediately.
GitLab
OAuth integration with GitLab.com and self-managed GitLab instances. Connect groups or individual projects with fine-grained access control.
Bitbucket
OAuth integration with Bitbucket Cloud. Connect workspaces, select repositories, and configure scanning preferences per repository.
SAST capabilities powered by Semgrep
Multi-Language Support
Semgrep-powered analysis covering Python, JavaScript, TypeScript, Java, Go, Ruby, PHP, C#, and more with language-specific security rules.
OWASP Coverage
Rules targeting OWASP Top 10 categories including injection, broken authentication, sensitive data exposure, and security misconfiguration.
Custom Rule Sets
Community and pro rule sets covering thousands of vulnerability patterns, updated regularly as new attack techniques and CVEs are discovered.
Low False Positive Rate
Semgrep uses semantic analysis rather than regex matching, significantly reducing false positives compared to traditional static analysis tools.
SCA scanning across package managers
Software Composition Analysis identifies known vulnerabilities in your third-party dependencies. SecPortal audits lock files and manifest files against the NVD CVE database, providing severity-rated findings with upgrade recommendations.
- npm and yarn (package.json, package-lock.json, yarn.lock) dependency auditing for JavaScript and TypeScript projects
- pip and pipenv (requirements.txt, Pipfile.lock) vulnerability scanning for Python projects against the NVD CVE database
- Go modules (go.sum) dependency analysis with known vulnerability correlation from the Go vulnerability database
- Maven and Gradle (pom.xml, build.gradle) scanning for Java projects with transitive dependency resolution
- Bundler (Gemfile.lock) auditing for Ruby projects with CVE matching and upgrade path recommendations
- Composer (composer.lock) scanning for PHP projects with severity-rated vulnerability reporting
Scheduling and continuous monitoring
Scheduled Scans
Configure daily, weekly, or monthly scan schedules per repository. Scans run automatically and results are compared against previous runs to highlight new findings.
Branch Targeting
Scan specific branches — main, develop, or release branches — to catch issues at different stages of your development lifecycle.
Finding Trends
Track the number of open findings over time per repository. Identify whether your security posture is improving or degrading across sprints.
Severity-Based Alerts
Focus on what matters by filtering findings by severity. Critical and high findings surface immediately while lower-severity issues are tracked for backlog planning.
DevSecOps should not require a separate tool stack. SecPortal brings code scanning into the same platform where you manage engagements, track findings, and deliver reports. Connect your repositories, configure scanning, and let the platform handle the rest. Whether you are a security consultancy scanning client code or an internal team monitoring your own repositories, SecPortal makes code security accessible without the overhead of managing scanning infrastructure.
How it works in SecPortal
A streamlined workflow from start to finish.
Connect your Git provider
Authenticate with GitHub, GitLab, or Bitbucket via OAuth. Select repositories to monitor and configure scanning preferences.
Configure scanning
Choose SAST (static analysis via Semgrep), SCA (dependency auditing), or both. Set up scheduled scans for continuous monitoring.
Review and integrate
Review findings by severity, track remediation progress, and use findings to inform your security backlog and sprint planning.
Secure your pipeline
Connect your first repository and run a code scan in under two minutes.
No credit card required. Free plan available forever.