Security Insights
CI/CD Watch reads your existing pipeline configuration and tells you which security controls are running, which are missing, and what to add. We do not run scanners ourselves — we surface what is and isn't present in what you already have, and recommend a copy-pasteable workflow when a control is missing.
What we detect
We track four control categories per repository. Each maps to a class of vulnerability the control is designed to catch.
| Control | What it means | Tools we detect |
|---|---|---|
| SAST | Static Application Security Testing. Detects code-level vulnerabilities (injection, unsafe deserialisation, hard-coded crypto) before they ship. | CodeQL, Semgrep, SonarCloud, SonarQube |
| SCA | Software Composition Analysis. Flags known CVEs in your dependencies (npm packages, Python packages, container layers). | npm audit, pnpm audit, yarn audit, pip-audit, safety, Snyk, Trivy (filesystem), Dependabot |
| Secrets | Catches credentials (API keys, tokens, private keys) accidentally committed to the repository. | gitleaks, trufflehog, GitGuardian |
| Container | Scans the built container image for OS-level and application CVEs before deployment. | Trivy (image), Anchore, Docker Scout, Snyk (Docker) |
| Pinning | Flags third-party GitHub Actions referenced by branch (e.g. @main). Branch refs are mutable; if the action is compromised, your CI runs the attacker's code on the next push. SHA pins are immutable and unaffected. | N/A — quality check on every uses: reference, not a tool. First-party actions ( actions/*, github/*) are allowlisted. |
What each status means
| Status | Meaning |
|---|---|
| Present | We found at least one step running this control. Hover the status on the per-repo page to see which tool and which workflow file. |
| Missing | The control applies to this repo's stack but we found no step running it. The per-repo page shows a recommended workflow snippet you can paste in. |
| N/A | The control does not apply to this repo's detected stack. Container scanning, for example, is N/A on a repo without a Dockerfile. |
| Dismissed | You marked the control as handled elsewhere (in a reusable workflow, by an external tool, or as risk-accepted). Dismissed controls don't count against the “Has gaps” filter. |
| Unknown | No assessment has been computed yet. This usually clears on the next sync, or you can click Re-assess on the per-repo page. |
How detection works
We do not call extra APIs or pull additional data from your provider for security insights. Detection runs against the workflow YAML we already fetch when computing your pipeline configuration. After every configuration sync we look at each repository's GitHub Actions workflows and apply a set of rules:
- Action-based rules match a step's
uses:entry against a known security-tool prefix (for example,github/codeql-action/means SAST is present). - Run-based rules match shell commands inside
run:blocks (for example,npm auditorpip-audit). - Stack detection looks for
setup-node,setup-python, or Docker actions to decide which stack-specific recommendations apply. - Dual-purpose tools like
aquasecurity/trivy-actionare disambiguated by theirscan-typeinput —imageclassifies as container scanning, anything else as SCA.
Coverage caveats
Security insights V1 covers GitHub Actions only. Azure Pipelines, GitLab CI, Bitbucket Pipelines, CircleCI, and Jenkins are not yet inspected. If most of your security runs in a reusable workflow that we don't see, or in a separate tool entirely (Jenkins job, third-party SaaS, GHAS default setup), use the Dismiss button to mark the control as handled elsewhere with a reason — that suppresses the gap without lying about coverage.
Recommendations
When a control is missing, the per-repo page shows a copy-pasteable workflow file you can drop into .github/workflows/. The recommendation is chosen based on the detected stack — for example, Node repos missing SCA get an npm audit snippet, Python repos get pip-audit.
Templates ship with sensible defaults: pinned action versions, a real gate (no continue-on-error), and severity thresholds set to high. We do not open pull requests for you — the recommendation is yours to paste, review, and merge.
Plan availability
Security insights are available on the Business and Enterprise plans.
Related
- DORA Metrics — the broader delivery-performance signals security insights sit alongside.
- Deployment Detection — how we identify which pipeline runs are deployments.
- CI/CD Watch for DevSecOps — the long-form pitch for the audience using these checks.