Does CI/CD Watch replace our SAST or SCA tool?

No. We don't scan code or dependencies ourselves. We detect which scanners are configured in each repository's pipeline (Semgrep, CodeQL, Snyk, npm-audit, pip-audit, OSV-scanner, Trufflehog, GitLeaks, Trivy, Grype, and others) and inventory coverage. You keep your existing scanners; we tell you which repos are missing them.

Which scanners do you detect?

SAST: Semgrep, CodeQL, SonarQube, Snyk Code. SCA / dependency: npm-audit, pip-audit, OSV-scanner, Snyk, Dependabot, Renovate (config-level). Secret scanning: Trufflehog, GitLeaks, Gitguardian. Container scanning: Trivy, Grype, Snyk Container. License: license-checker, FOSSA, Snyk License. Detection is via workflow YAML or pipeline-config parsing, reading the same files your team commits.

How does the coverage view classify each repo?

Each control on each repo is one of three states: gaps (scanner not detected), clear (scanner present), or dismissed (intentionally absent with a reason recorded). The filter on /security lets you scope to just gaps, just clear, or just dismissed across the estate.

What CI/CD security hygiene rules are included in the audit?

Built-in rules check for missing SAST, missing SCA, missing secret scanning, missing license scan, manual-approval inflation on production deploys, lint presence, unit-test presence, schema-migration validation, and several pipeline-stability rules. Each rule has an explanation page. Full list at /docs/audit.

What about ingesting findings from GitHub Advanced Security or GitLab vulnerability reports?

We detect that scanners like CodeQL, Semgrep, or Snyk are wired into your workflow, but we don't currently ingest the findings themselves; we don't store CVE-level data. Coverage answers the ‘is the scanner present’ question; the findings themselves stay in the source tool. Ingesting GHAS / GitLab finding metadata is on the roadmap.

Can intentionally-missing scanners be marked as such?

Yes. The dismissal workflow lets a tenant admin mark a specific control on a specific repo as intentionally absent, with a reason category and free-text note. Dismissed controls appear in their own filter state so they don't pollute the gaps view but stay auditable.

How do you compare to a dedicated AppSec platform?

Different layer. AppSec platforms (Snyk, Veracode, GitHub Advanced Security, Mend, etc.) scan and produce findings. CI/CD Watch sits above them and answers ‘are scanners present, what CI/CD hygiene gaps does the audit find, are dismissals justified’. We complement rather than replace. Datadog CI Visibility overlaps on pipeline observability but doesn't surface scanner-presence inventory or audit hygiene rules.

Does this add traffic or load to our CI?

No. We read pipeline state and repo config via your provider's API with conditional requests (ETags, If-Modified-Since). No agent installed in your runners. No log shipping in-band. The build runs at the speed it did before.

How does pricing work for security teams?

Audit findings and security insights are on the Business tier ($99/mo flat per tenant). That covers up to 100 repos and 50 team members across every connected provider. Enterprise adds SSO, longer retention, on-premise connector, and a security-review pack.

For DevSecOps

DevSecOps observability: without another scanner

Inventory which repos have SAST, SCA, secret scanning, and container scanning. Built-in audit rules surface CI/CD security hygiene gaps across every provider. Per-repo drill-down with copy-pasteable scanner templates. No new scanners, no new agents.

Start free See audit rules

cicd.watch/securityCoverage · live

Security coverage · across every connected repo

platform-apiclearclearclearclear

webclearcleargapdismissed

mobile-iosgapcleargapdismissed

legacy-erpgapgapgapgap

Coverage · Audit · Per-repo fix

Three views that turn scanning theatre into action

Scans get configured, gaps go unnoticed, dismissals get lost. Three capabilities that close the loop: what's covered, what hygiene rules fire, and how to close the gap on a specific repo.

Scan coverage inventory

Which repos run SAST, SCA, secret scanning. Which don't.

Coverage inventory across every connected provider. Each repo is checked for SAST, SCA, secret scanning, container scanning, and license scanning. The scanners detected from your workflow files, not from a config we ask you to fill in.

Detection via YAML/config parsing, reading what your team already commits
Major scanners covered: Semgrep, CodeQL, Snyk, OSV, Trufflehog, GitLeaks, Trivy, Grype, FOSSA
Three states per repo per category: gaps, clear, dismissed (with reason)

Outcome: a coverage matrix that survives any audit conversation.

What's needed: Repos connected via OAuth / access token. Detection runs on every config change.

cicd.watch/security

Coverage matrix · 42 repos

SAST

34 / 42

SCA

38 / 42

Secrets

22 / 42

Container

14 / 18

platform-apiclearclearclearclear

mobile-iosgapcleargapdismissed

legacy-erpgapgapgapgap

Per-repo scanner inventory; filter to 'missing' to see only the gaps

Audit rules

CI/CD security hygiene gaps surfaced rule by rule.

Built-in audit rules check every connected repo for missing SAST, missing SCA, missing secret-scanning, missing license scan, manual-approval inflation on production deploys, and the CI/CD discipline rules around lint, unit tests, schema-migration validation, and deployment classification.

Each rule has a dedicated explanation page; findings shown per rule across repos
Findings durable across runs, not noise that resets on every commit
Hygiene + security treated as one continuum, the way real teams work

Outcome: a punch list of where CI/CD security and hygiene fall below your bar, with an explanation per finding.

What's needed: Repos connected. Rules run on the latest config and recent run history.

cicd.watch/audit

Audit findings · CI/CD hygiene

criticalSecrets scanning missing20 repos

criticalSAST job missing8 repos

highLicense scan missing14 repos

mediumManual-approval inflation2 repos

lowLint job missing3 repos

Audit rules ranked by severity across every connected repo

Per-repo fix path

Click a repo. See gaps, paste a scanner template, or record a dismissal.

The per-repo drill-down shows exactly which controls are missing. Each gap surfaces a copy-pasteable workflow snippet for a recommended scanner. If the gap is intentional, record a dismissal with a reason category and note. The audit trail stays intact.

YAML snippets recommended per detected stack (e.g. Semgrep for JS/TS, pip-audit for Python)
One-click copy; commit it to your repo and the next sync re-classifies coverage
Dismissals record reason category + free-text note + the user who set them

Outcome: from ‘you have a SAST gap’ to ‘here is the workflow snippet’ in two clicks.

What's needed: Tenant admin to record dismissals. Repo write access lives with your team, not us.

cicd.watch/security/web

web · security controls

Secrets scanninggap

Recommended: GitLeaks · node/js detected

- uses: gitleaks/gitleaks-action@v2
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

SAST · CodeQLclear

License scandismissed · tracked in FOSSA

Per-repo drill-down: missing controls with a copy-pasteable workflow snippet for each

Same connect, more depth

How we work with security teams

Three more capabilities the same data unlocks. Each pays off where DevSecOps is trying to make CI/CD discipline measurable, not just exhortative.

Control coverage

Control coverage matrix: one row per repo, columns for each scanner type

A grid of every connected repository against every scanner category. Filter to 'missing' to see the gaps. Export the matrix as evidence for SOC 2, ISO 27001, or an internal architecture review.

RepoSASTSCASecretsContainer

platform-apiclearclearclearclear

webclearcleargapdismissed

mobile-iosgapcleargapdismissed

legacy-erpgapgapgapgap

See control coverage →

Dismissal audit trail

Dismissals carry a reason, a note, and the user who set them

When a scanner is intentionally absent on a repo, the dismissal records a category, free-text note, and the dismissing user. Dismissed controls drop out of the gaps view but stay queryable so reviewers can see why each exemption was granted.

legacy-erp · SASTdismissed

Out of scope: legacy COBOL surface, no scanner support

mobile-ios · Containerdismissed

N/A: native build, no container artifact

web · Licensedismissed

Tracked separately in FOSSA

See dismissal workflow →

Approval discipline

Manual-approval inflation flagged on production deploys

Audit rule that flags pipelines whose only gate is a manual approval and where approvals come back inside seconds (rubber-stamping). Useful signal that the approval boundary isn't doing real review work.

Deploy prod · approved in 4slegacy-erp

Deploy prod · approved in 22sweb

Deploy prod · 14m avg approvalplatform-api

See audit rule →

All from one connect

Plus the rest of the toolkit

Security observability is the lead for DevSecOps. Same connect also surfaces DORA, cost, stability, and audit findings across the estate.

Security insights →

Per-repo scanner-presence inventory rolled up across the estate. Business tier.

Audit rules →

Built-in CI/CD hygiene + security rules ranked by severity across repos. Business tier.

Template recommendations →

Copy-pasteable workflow snippets for missing scanners. Business tier.

Stability classification →

Pipelines auto-classified healthy / flaky / broken; security pipelines are pipelines too.

DORA metrics →

All five metrics including change-fail-rate and recovery time. Useful for incident response review.

Slack notifications →

Security regressions and audit-rule failures in your team channel. Team tier.

CLI →

Query audit findings and coverage from your shell. Pipe into compliance scripts.

MCP server →

Let an AI agent answer 'which repos are missing SAST' without leaving the chat.

Pricing

Flat per tenant

Security insights and audit findings sit on the Business tier. Enterprise adds SSO, longer retention, and a security-review pack.

Free

For one team getting started with up to 3 repos.

$0/month

Start free

3 repos
1 team member
DORA, stability, flaky tests
Pipeline monitoring
Email support

Team

Flat rate per tenant. Up to 20 repos and 10 team members.

$29/month

Start Team trial

20 repos
10 team members
Everything in Free
Cost tracking, PR health
Slack notifications, CLI, MCP server

Business

Includes security insights and audit findings. 100 repos and 50 team members.

$99/month

Start Business trial

100 repos
50 team members
Everything in Team
Security coverage inventory
Audit rules across the estate
Template recommendations + dismissal workflow
Priority support

Comparison

How CI/CD Watch compares for security observability

The CI/CD Watch posture is observability over the scanners you already run, plus CI/CD hygiene rules. Headline pricing only; deeper comparisons live on the linked pages.

	CI/CD Watch$99 / mo flat (Business)	Datadog CI VisibilityFrom $8 / committer / mo + per-span overagesSee full comparison →	Dedicated AppSec toolVaries (per-developer or per-app)	Manual spreadsheet inventoryCheap but stale within a sprint
Scanner-presence inventory across repos	Yes, auto-detected from config	No	No (it IS the scanner)	Maybe, manually
CI/CD audit rules across the estate	Yes, built-in	No	Scanner-rule only	No
Template recommendations for missing scanners	Yes, per detected stack	No	Sometimes (scanner-specific)	No
Dismissal workflow with reason	Yes, audited	No	Yes, per tool	Manual
Works with your existing scanners	Yes (reads, doesn't replace)	No scanners	Replaces or competes	Yes
Pricing model	Flat per tenant	Per committer + spans	Per developer / app	Time cost

Competitor pricing reflects each vendor's published headline rate. Dedicated AppSec tools (Snyk, Veracode, GHAS, Mend, etc.) sit on a different layer; we read their output, we don't replace them.

control categories detected: SAST / SCA / secrets / container / license

states per control: gaps / clear / dismissed

built-in audit rules

Flat

per-tenant pricing

FAQ

DevSecOps specifics

Does CI/CD Watch replace our SAST or SCA tool?: No. We don't scan code or dependencies ourselves. We detect which scanners are configured in each repository's pipeline (Semgrep, CodeQL, Snyk, npm-audit, pip-audit, OSV-scanner, Trufflehog, GitLeaks, Trivy, Grype, and others) and inventory coverage. You keep your existing scanners; we tell you which repos are missing them.
Which scanners do you detect?: SAST: Semgrep, CodeQL, SonarQube, Snyk Code. SCA / dependency: npm-audit, pip-audit, OSV-scanner, Snyk, Dependabot, Renovate (config-level). Secret scanning: Trufflehog, GitLeaks, Gitguardian. Container scanning: Trivy, Grype, Snyk Container. License: license-checker, FOSSA, Snyk License. Detection is via workflow YAML or pipeline-config parsing, reading the same files your team commits.
How does the coverage view classify each repo?: Each control on each repo is one of three states: gaps (scanner not detected), clear (scanner present), or dismissed (intentionally absent with a reason recorded). The filter on /security lets you scope to just gaps, just clear, or just dismissed across the estate.
What CI/CD security hygiene rules are included in the audit?: Built-in rules check for missing SAST, missing SCA, missing secret scanning, missing license scan, manual-approval inflation on production deploys, lint presence, unit-test presence, schema-migration validation, and several pipeline-stability rules. Each rule has an explanation page. Full list at /docs/audit.
What about ingesting findings from GitHub Advanced Security or GitLab vulnerability reports?: We detect that scanners like CodeQL, Semgrep, or Snyk are wired into your workflow, but we don't currently ingest the findings themselves; we don't store CVE-level data. Coverage answers the ‘is the scanner present’ question; the findings themselves stay in the source tool. Ingesting GHAS / GitLab finding metadata is on the roadmap.
Can intentionally-missing scanners be marked as such?: Yes. The dismissal workflow lets a tenant admin mark a specific control on a specific repo as intentionally absent, with a reason category and free-text note. Dismissed controls appear in their own filter state so they don't pollute the gaps view but stay auditable.
How do you compare to a dedicated AppSec platform?: Different layer. AppSec platforms (Snyk, Veracode, GitHub Advanced Security, Mend, etc.) scan and produce findings. CI/CD Watch sits above them and answers ‘are scanners present, what CI/CD hygiene gaps does the audit find, are dismissals justified’. We complement rather than replace. Datadog CI Visibility overlaps on pipeline observability but doesn't surface scanner-presence inventory or audit hygiene rules.
Does this add traffic or load to our CI?: No. We read pipeline state and repo config via your provider's API with conditional requests (ETags, If-Modified-Since). No agent installed in your runners. No log shipping in-band. The build runs at the speed it did before.
How does pricing work for security teams?: Audit findings and security insights are on the Business tier ($99/mo flat per tenant). That covers up to 100 repos and 50 team members across every connected provider. Enterprise adds SSO, longer retention, on-premise connector, and a security-review pack.

Read, audit, or get started

Guide

Audit rules

The full list of audit rules, what each one checks, and how findings are scored across the estate.

Guide

Security insights

How scanner-presence detection works, which scanners are covered, and how to read the coverage matrix.

Blog

CI/CD pipeline audit: a practitioner's health-check framework

A practitioner's framework for auditing CI/CD pipelines: what to look for, what to prioritise, and how to act on the findings.

Blog

What to monitor in CI/CD: signals that close the loop

Don't monitor everything. Monitor the signals that show whether your CI/CD security and recovery loops are closing.

Blog

CI/CD monitoring: beyond watching pipelines go green

What estate-level CI/CD monitoring should actually surface for security teams, and where most dashboards stop short.

Blog

What are DORA metrics and why should you track them?

The four (now five) signals from DORA Research, including change-fail-rate and recovery time. Both directly relevant to security incident response.

Explore other use cases

See how CI/CD Watch helps every role in your engineering org.

Make CI/CD security gaps measurable.

Connect what you've got in two minutes per provider. Scanner coverage, audit rules, and per-repo template recommendations on the Business tier.

Start free Talk to us

DevSecOps observability: without another scanner

Three views that turn scanning theatre into action

Which repos run SAST, SCA, secret scanning. Which don't.

CI/CD security hygiene gaps surfaced rule by rule.

Click a repo. See gaps, paste a scanner template, or record a dismissal.

How we work with security teams

Control coverage matrix: one row per repo, columns for each scanner type

Dismissals carry a reason, a note, and the user who set them

Manual-approval inflation flagged on production deploys

Plus the rest of the toolkit

Security insights →

Audit rules →

Template recommendations →

Stability classification →

DORA metrics →

Slack notifications →

CLI →

MCP server →

Flat per tenant

Free

Team

Business

How CI/CD Watch compares for security observability

DevSecOps specifics

Read, audit, or get started

Audit rules

Security insights

CI/CD pipeline audit: a practitioner's health-check framework

What to monitor in CI/CD: signals that close the loop

CI/CD monitoring: beyond watching pipelines go green

What are DORA metrics and why should you track them?

Explore other use cases

For Developers

For Engineering Managers

For Platform, DevOps & SRE

For Tech Leads

For AI-assisted development

Make CI/CD security gaps measurable.