# Code Security

Code Security is the **foundational, first line of defense** in OpsMx Delivery Shield's Code-to-Cloud model. It identifies and mitigates vulnerabilities directly within source code — before they propagate into build pipelines, container images, or production systems where remediation becomes exponentially more expensive and complex.

In modern DevOps environments, development teams push code changes continuously through automated CI/CD pipelines. Without robust code security practices embedded at this stage, vulnerabilities — insecure coding patterns, exposed secrets, dependency risks, logic flaws — can easily slip into production undetected.

{% hint style="info" %}
Code Security ensures that security is an integral part of development — not a post-deployment checkpoint.
{% endhint %}

## What Code Security Covers in OpsMx

OpsMx Delivery Shield's Code Security layer goes beyond traditional static analysis. It combines multiple scanning techniques to provide comprehensive visibility into both custom-written code and third-party dependencies:

| Technique                                      | What It Catches                                                                               |
| ---------------------------------------------- | --------------------------------------------------------------------------------------------- |
| **SAST (Static Application Security Testing)** | Insecure coding patterns, injection risks, unsafe API usage — in source code before execution |
| **SCA (Software Composition Analysis)**        | Known CVEs in open-source libraries and third-party dependencies                              |
| **Secrets Detection**                          | Hardcoded API keys, tokens, passwords, and credentials accidentally committed to repositories |
| **License Compliance**                         | Open-source license violations that create legal or compliance risk                           |
| **AI-Generated Code Analysis**                 | Security risks in code produced by AI coding assistants                                       |

## Why Code Security Is Used in OpsMx

The cost of fixing a vulnerability at the code stage is estimated to be **10x–100x lower** than fixing the same vulnerability in production. OpsMx uses Code Security in Delivery Shield to:

* **Shift security left** — embedding checks directly into developer workflows, PR reviews, and CI pipelines — catching issues where they originate, not where they manifest
* **Unify multiple scanners** — Semgrep, SonarQube, Opengrep, Trivy, and Grype all feed into a single dashboard, eliminating tool fragmentation
* **Enforce governance at the code level** — policy-based gates block insecure code from progressing through the pipeline
* **Reduce remediation cost and rework** — developers receive inline findings with actionable fix guidance, not a report delivered weeks later
* **Establish the security baseline** for every downstream stage — container security, runtime protection, and cloud security all build on top of what Code Security establishes at the source

### Key Capabilities in Delivery Shield

**Automated CI/CD Integration**

Code Security checks trigger automatically at pull request creation, merge, and build — giving developers real-time feedback in the tools and workflows they already use: GitHub Actions, GitLab CI, Jenkins, and more.

**Policy-Based Gate Enforcement**

Using the OPA Policy Engine, organizations define which vulnerability severities, license types, or secret patterns constitute a blocking condition — automatically preventing non-compliant code from advancing through the pipeline.

**Unified Findings Dashboard**

All Code Security findings — across SAST, SCA, secrets, and license checks — are unified in the Delivery Shield Vulnerability Management page. Developers see a single, prioritized list of issues to fix, not fragmented reports from five different tools.

**Risk-Based Prioritization**

Findings are prioritized by severity, exploitability, and business context — so developers focus on what poses the highest actual risk, not just the longest CVE list.

### Benefits for the User

* **Fix issues in the IDE, not in production** — security findings appear at the earliest possible moment in the developer workflow
* **No tool-switching** — all Code Security results are visible in Delivery Shield alongside artifact, cloud, and runtime findings
* **Developer-friendly guidance** — every finding includes actionable remediation steps, not just severity labels
* **Compliance evidence built in** — code-level findings are logged, traceable, and exportable for audit purposes


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.opsmx.com/code-to-cloud-security-and-scanners/code-security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.