CyfroSec

Code Security

CyfroCode

CyfroCode provides a comprehensive code security workspace embedded directly within CyfroSec. Designed for developers and security teams alike, it allows you to connect your code repositories, automatically run security scans, and generate actionable remediation patches, all without leaving the platform.

CyfroCode supports 6 programming languages for code security scanning, plus 5 infrastructure/configuration surfaces.

Programming Languages

LanguageExtensions
Python.py
JavaScript.js
TypeScript.ts
Java.java
Go.go
C#.cs

Infrastructure / Configuration Surfaces

  1. 1Container (Dockerfile)
  2. 2Terraform (IaC)
  3. 3Kubernetes (manifests)
  4. 4YAML (generic config)
  5. 5CI (GitHub Actions workflows)

Connecting GitHub

To get started with CyfroCode, you need to connect your organization's GitHub account:

  1. 1Navigate to CyfroCode via the main navigation menu.
  2. 2Click the Connect GitHub App button.
  3. 3You will be redirected to GitHub to authorize and install the CyfroSec GitHub App.
  4. 4Once installed, CyfroSec will automatically sync your repositories and display them on the CyfroCode dashboard.
Note: You must be an administrator in both GitHub and CyfroSec to complete this setup.

Managing Synced Repositories

On the CyfroCode dashboard, your synced repositories are listed with helpful metadata:

FieldDescription
Default BranchThe primary branch monitored for changes.
Languages & FrameworksAuto-detected technologies in your codebase.
Tech IndicatorsBadges indicate if the repository uses Docker, Terraform, or GitHub Actions.
Sync StatusReal-time status of the connection with GitHub.

Running Scans

To analyze a repository for security vulnerabilities:

  1. 1Locate the repository in the Synced Repositories list.
  2. 2Click the Queue Scan button.
  3. 3The scan will be queued for the default branch and transition through various states (queued, running, completed, or failed).

You can monitor actively queued and historical scans in the Recent Scans section on the main CyfroCode dashboard.

Reviewing Findings & AI Explanations

Once a scan concludes, you can click on it to view a detailed breakdown of the findings. The scan detail page offers:

  1. 1Metrics Overview: A snapshot of total findings, risk scores, and duration of the scan.
  2. 2Grouped Issues vs. Raw Matches: Toggle between grouped issues (deduplicated by vulnerability type) or raw matches (every specific line of code affected).
  3. 3Severity Filters: Quickly filter findings from Critical to Low severity.

Each finding card provides deep context:

SectionDetails
Source InformationIncludes the primary file path and the specific lines of code.
AI ExplanationCyfroAssistant automatically summarizes the vulnerability, explaining why it is an issue in plain, contextual language.
Remediation GuidanceExpand the guidance section to learn how to mitigate the risk manually.

Automated Patch Proposals

For supported vulnerabilities, CyfroCode goes beyond reporting by offering automated, AI-driven patches:

  1. 1Click Generate Patch on a specific finding.
  2. 2CyfroSec's AI models will analyze the vulnerability context and generate a safe, functional code change.
  3. 3Review the proposed diff directly within the UI.
  4. 4If correct, click Approve to export the remediation patch directly to a new branch in your GitHub repository, ready for an easy Pull Request review.
  5. 5If a finding turns out to be a false positive or an accepted risk, you can use the Suppress option to hide it from future scans.