What is secure code scanning?
Secure code scanning (also known as secure code review) is the practice of assessing code for potential security flaws and code quality problems. It involves the use of specialized tools and techniques to identify and resolve code smells, errors, bugs, vulnerabilities, hardcoded secrets and data privacy risks in first-party code, third-party libraries, container images, and public repositories.
Just as grammar-checking tools help rid your documents of spelling and grammar errors, code scanners detect potential vulnerabilities and inefficiencies in your code, ensuring that only quality, trusted code gets shipped to production.
In this article, we’ll explore the step-by-step process of code scanning, its benefits, approaches, and best practices.
CI/CD Pipeline Security Best Practices [Cheat Sheet]
In this 13 page cheat sheet we'll cover best practices in the following areas of the CI/CD pipeline: Infrastructure security, code security, secrets management, access and authentication, monitoring and response
Download Cheat Sheet
Why is code scanning important?
Secure code scanning has become vital in the software development process because code security issues are inevitable and can quickly become exploitable security vulnerabilities that impact development teams, users, and infrastructure. Below are some reasons to consider scanning your code for vulnerabilities before going live:
Rapid software release cycles leave bugs and security flaws
Increasingly, enterprises are shortening software release cycles to edge out the competition. But because this cuts some of the time that development and security teams spend building apps and resolving potential security risks, rapid release cycles often result in the deployment of vulnerable software.
With code scanning, development teams can schedule code scans to run at periodic intervals or every time new code is added to their IDEs. Essentially, the earlier code scanning is introduced into the development process, the lower the cost and complexity of remediating issues, empowering organizations to (safely) speed up software release cycles.
Breaches have become more common
According to research by Forrester, in 2023 alone, there were 3,205 data beaches—that’s approximately 9 breaches per day. By flagging potential vulnerabilities before software is deployed, code scanning incorporates secure coding practices into the software development lifecycle (SDLC). This not only enhances software security and quality, but it also reduces the frequency and severity of data breaches.
Data breaches are costly
The fallout from data breaches can be far-reaching, including non-compliance penalties, lawsuits, reputational and financial costs, and the loss of customer trust. For context, telecommunications giant T-Mobile spent a whopping $350 million to settle a class-action lawsuit after a data breach in July 2022. But this was not all the breach cost the organization; T-Mobile also had to pay hefty legal fees and commit to a $150 million data security spend, as well as facing a massive hit to their reputation and customer trust.
To prevent such drastic consequences, code scanning tracks data as it flows through software applications, flagging sensitive data in file calls and function calls for proactive remediation.
DevOps Security Best Practices [Cheat Sheet]
In this 12 page cheat sheet we'll cover best practices in the following areas of DevOps: secure coding practices, infrastructure security, monitoring and response.
Download Cheat Sheet
The basic steps to code scanning
Read on to learn how the code scanning process functions, step by step:
Step 1: Define the scope
The first step is to clearly delineate all software, codebases, and modules to be covered by the code scanner. Then, determine if you want to run scheduled code scans, continuous code scans, or both. Scheduled scans are cheaper and run at set intervals (e.g., every time code is compiled and ready to be shipped, weekly, etc.). On the other hand, continuous scans tend to rack up costs but run in real time to catch security vulnerabilities as soon as they are introduced into your code.
Step 2: Choose the scanning tools
In the second phase, select optimal scanning tools. For comprehensive code security throughout the software development lifecycle, your code scanning tools should be a mix of SAST, DAST, secrets scanning, and SCA tools.
Step 3: Integrate with all necessary pipelines and environments
Integrate code scanners with all build systems, development and CI/CD pipelines, and code repositories. This will enable automated, on-the-fly-code scanning as new commits or builds are made.
Step 4: Customize the tool
Configure the tool to incorporate in-house security policies, standards, and rule sets (such as source code protection policies) to tailor the scans to your unique requirements.
Step 5: Run the scan
Begin code scanning at the earliest possible moment, while the app is still static and before the source code is compiled. This ensures all code issues are detected before changes become overly complicated and time-consuming.
Step 6: Review results
Examine scan results to pinpoint the sources of vulnerabilities, bugs, and code smells. Tools that offer comprehensive vulnerability reports are critical at this stage.
Step 7: Fix code issues
Resolve code security risks identified by modifying code, patching vulnerable software, or implementing other measures recommended by your tools. Tools that offer in-line feedback on how to fix code issues will be helpful here.
Step 8: Continuously monitor for new issues
Continuously rescan to verify that identified issues have been properly fixed and to ensure ongoing code security.
Approaches to code scanning
There’s a wide range of code scanning techniques and tools, each with their own use case. Let’s take a closer look:
| Techniques/tools | Description |
|---|---|
| Static application security testing (SAST) | Static analysis tools scan source code at rest to find common security risks like outdated software packages, access control problems, unsanitized external inputs, and buffer overflows. |
| Dynamic application security testing (DAST) | Dynamic analysis simulates attacks to detect runtime vulnerabilities like remote code execution (RCE), race conditions, and cross-site request forgery (CSRF). |
| Software composition analysis (SCA) | SCA tools assess source code, binary files, container images, package managers, and more for dependencies and associated known vulnerabilities by comparing the dependencies against vulnerability databases, such as the National Vulnerability Database (NVD). |
| Interactive application security testing (IAST) | IAST combines elements of SAST and DAST capabilities. |
| Secrets scanning | Secrets scanning tools analyze public repositories, container images, DevOps pipelines, and more for hard-coded credentials to prevent unauthorized access to sensitive cloud infrastructure. |
Code scanning’s challenges
From the table above, it’s clear that each code scanning technique has its strengths—and weaknesses. Besides these downsides, there are also two common challenges when it comes to using most code scanning techniques: false positives and false negatives. These challenges occur when code scanning tools either “identify” vulnerabilities that aren’t actually present (false positives) or miss vulnerabilities that are present (false negatives).
To minimize false positives and negatives, it’s best practice to apply multiple scanning techniques and tools throughout the SDLC, ensuring that you benefit from the strengths of all approaches without being bogged down by their weaknesses.
What vulnerabilities can code scanning detect?
Code scanning tools detect a wide range of vulnerabilities—including those listed in the OWASP Top 10—using techniques such as flow-based analysis, semantic analysis, pattern matching, fuzzing, and heuristic analysis. Here are some vulnerabilities that code scanning detects and how it detects them:
| Vulnerability | Detection Mechanism |
|---|---|
| SQL injection | By searching for input sanitization failures and other software design issues that allow users to input SQL queries directly into input fields without proper sanitization |
| Cross-site request forgery | By identifying improper input validation or insecure system tokens that empower hackers to exploit a target system’s trust for a returning user |
| Remote code execution (RCE) | By looking for misconfigurations or improper validation mechanisms that allow attackers to execute arbitrary code remotely |
| Buffer overflows | By detecting misconfigurations that allow input data beyond what a buffer can normally hold to be sent to it |
| Hardcoded secrets | By scanning for high-entropy or known patterns that indicate the presence of secrets—like API tokens or admin passwords—in code |
Real-world examples
1.The MOVEit Transfer attack: A SQL injection attack that targeted MOVEit Transfer was identified in May 2023. The attack exploited three critical SQL injection vulnerabilities in the managed file transfer (MFT) service’s code to exfiltrate data, impacting many MOVEit Transfer customers, including GreyNoise and Kroll.
From all indications, the vulnerability had a long dwell time, possibly spanning more than two years. The vulnerability could have been detected and resolved faster if code scanning had been implemented, preventing the attack and the subsequent reputational damage to MOVEit Transfer.
2. The Ollama RCE vulnerability: In June 2024, the Wiz Research team discovered an exploitable remote code execution vulnerability (CVE-2024-37032) in Ollama, a popular open-source project for running AI models. This vulnerability allowed attackers to send carefully crafted HTTP requests to Ollama’s exposed API server.
Though the security issue has since been resolved, developers of AI projects—and all internet-facing software, for that matter—can learn an essential lesson from this attack: Code scanning is critical to correct misconfigurations and security risks like RCE vulnerabilities.
7 essential code scanning best practices
1.Create a source code protection policy that states how and when you want your source code scanned, how you want it protected (e.g., through encryption), and which administrative roles should have access to your code and DevOps pipelines. This will protect your code against unauthorized tampering or theft.
2. Choose the right blend of tools by considering their ability to:
Automate your workflows so that they don’t slow down software release cycles;
Support all programming languages in your stack so you don’t have to worry about blind spots;
Detect potential vulnerabilities on the fly to help development teams adopt secure coding practices as outlined in the OWASP Secure Coding Practices Checklist;
Provide up-to-date vulnerability intelligence to minimize false negatives;
Support in-code compliance management so you don’t have to deal with breaches and regulatory fines;
Offer robust reports with actionable insights for fast vulnerability resolution; and
Support cross-team collaboration to improve overall software security without slowing down the release cycle.
3. Test for code security flaws early: This best practice involves adopting a shift-left, secure-by-design approach that unites DevSecOps teams, and in the long run, saves money, time, and effort you’d have spent on complicated secure code reviews if security was incorporated at a later stage.
4. Run automated and scheduled scans: As previously mentioned, both types of scans are useful in different scenarios. While automated scans provide instantaneous feedback on code issues throughout the SDLC, scheduled scans provide in-depth point-in-time analysis that can be useful for tracking your code security program’s evolution over time.
5. Address risks in a timely manner: Forbes research shows that security teams leave at least 23% of cloud alerts uninvestigated and unresolved. Unfortunately, unresolved risks present threat actors with opportunities to attack your systems. To avoid being an easy target, apply fixes and update software promptly. Also, choosing tools that prioritize risks and minimize alert fatigue means teams won’t have to manually validate results.
6. Finetune tool configuration so it serves your unique needs. This includes incorporating business context; adjusting sensitivity settings; adding exceptions, whitelists, and blacklists where necessary; and defining rules and signatures. Combining these strategies with multiple code scanning tools and techniques yields comprehensive and accurate results—with little to no false positives.
7. Increase secure coding awareness through employee training, accountability, and research on evolving vulnerability trends. Help developers understand that writing clean code from the ground up is in their best interest: There’ll be fewer security vulnerabilities to deal with post-production with shift-left security.
Wiz for code security
Wiz’s approach to secure code scanning is centered around its comprehensive, cloud-native application protection platform (CNAPP), which integrates code security with cloud security. Wiz Code, a new addition to our platform, extends this by offering seamless, agentless scanning for security vulnerabilities, misconfigurations, and secrets directly within the code before it’s deployed to production.
By scanning both application code and infrastructure as code (IaC), Wiz provides holistic security coverage that catches vulnerabilities early in the development cycle. This helps reduce risks by enabling development teams to detect and remediate issues faster, fostering secure coding practices that scale with modern DevSecOps workflows.
Wiz Code's integration into CI/CD pipelines also ensures continuous scanning and monitoring, empowering developers to maintain security without interrupting their workflows. This allows organizations to maintain a strong security posture while accelerating innovation in cloud environments.
Learn why CISOs at the fastest growing companies trust Wiz to accelerate secure cloud development.
