Sttor Documentation

Appearance

Architecture Overview

DevSecOps Bot by Sttor is built as a cloud-native, multi-tenant DevSecOps platform designed to integrate seamlessly into modern development workflows without disrupting developer velocity. The architecture is modular, scalable, and tool-agnostic, allowing organizations to adopt security incrementally across Code, IaC, Containers, SBOM, Licenses, and Kubernetes.

High-level Architecture Flow

1. Source Control Integration

Currently, DevSecOps Bot integrates with GitHub, with future support planned for Bitbucket, GitLab, and other SCM providers.

Once connected:

  • Every pull request
  • Every commit / push
  • Every branch

is automatically analyzed as part of the CI/CD workflow.

2. CI/CD-first Scanning Engine

DevSecOps Bot runs security scans inside CI/CD, not as a disconnected security tool.

It performs:

  • SAST (Code scanning)
  • SCA (Dependency & License analysis)
  • IaC scanning (Terraform, Dockerfile, etc.)
  • Container image scanning
  • SBOM generation per branch & artifact
  • Kubernetes & runtime posture checks

Scans are:

  • Incremental
  • Branch-aware
  • PR-aware
  • Context-aware (what actually changed)

3. Normalization & Rule Engine

All scan outputs are normalized into a single internalez format, regardless of:

  • Scanner
  • Language
  • Framework
  • Runtime

Each finding is mapped to:

  • A Sttor Rule ID (e.g. CODE-0001, IAC-0023, CONTAINER-0102)
  • Severity
  • Category (Code, IaC, Supply Chain, Container, K8s)
  • Branch context
  • Fix status (Open, Fixed, Suppressed)

This ensures:

  • No vendor lock-in
  • Consistent reporting
  • Predictable rule behavior across tools

4. Noise Reduction & Issue Intelligence

DevSecOps Bot is designed to reduce security noise, not amplify it.

Key mechanisms:

  • Issue de-duplication across branches
  • Smart grouping of similar findings
  • Suppression tracking with audit trail
  • Reachability-based dependency analysis
  • Branch-level and PR-level comparison

This prevents developers from seeing the same issue repeatedly across scans.

5. AI-Assisted AutoFix (CI-level)

For supported rule categories, DevSecOps Bot can:

  • Suggest context-aware fixes
  • Generate patch-ready remediation
  • Propose fixes directly in CI

This enables:

  • Faster remediation
  • Reduced manual effort
  • Security fixes without breaking builds

6. Centralized Platform & Dashboard

All results are consolidated into the DevSecOps Bot platform, providing:

  • Repo-level visibility
  • Branch-level history
  • Rule-level breakdown
  • Compliance-ready reporting (SOC2, PCI, RBI, NIST, CIS – upcoming)

Tenants can use:

  • Custom domains
  • Role-based access
  • Centralized configuration

Key Architectural Principles

PrincipleDescription
CI-firstSecurity runs where developers already work vitepress​.
ModularCode, IaC, Containers, K8s are independent but unified vitepress​.
Branch-awareFindings track across branches and PRs vitepress​.
Tool-agnosticNo forced dependency on one scanner vitepress​.
ScalableDesigned for startups to enterprises vitepress​.
Multi-tenantOne platform, isolated tenant data vitepress​.

Security & Trust Model

Security is foundational to DevSecOps Bot by Sttor. The platform is designed with security-by-default principles across infrastructure, data, and execution layers.

Tenant Isolation

  • Each tenant represents an organization
  • Tenant data is logically isolated
  • Scan results, secrets, and reports are never shared across tenants
  • Custom domains are supported for tenant-specific access

Credential & Secret Handling

  • SCM tokens (e.g. GitHub) are securely stored
  • Webhook secrets are validated on every event
  • No source code is permanently stored unless required for scanning
  • Secrets detected during scans are masked in UI and logs

Scan Execution Model

DevSecOps Bot supports:

  • Cloud-hosted scanning
  • On-prem / self-hosted deployment mode (documented separately)

This allows organizations to:

  • Keep code and artifacts within their network
  • Control outbound access
  • Meet strict compliance or regulatory requirements

Data Handling & Retention

  • Scan outputs are stored in structured, compressed formats
  • Branch-level and historical scans are preserved for auditability
  • SBOMs are generated per branch and per artifact
  • Retention policies can be applied per tenant

Compliance-Ready by Design

The platform is designed to support:

  • SOC 2 reporting for application security controls
  • PCI DSS secure coding & dependency requirements
  • RBI / financial security expectations
  • CIS benchmarks for containers & Kubernetes

Compliance reports are generated from actual scan evidence, not checklists.

Platform Hardening

  • HTTPS enforced across the platform
  • Secure headers and access controls
  • Continuous internal security testing
  • Controlled access to admin and tenant operations

Trust Philosophy

DevSecOps Bot follows a simple trust principle:

Security tooling must not become a security risk itself.

That’s why:

  • No unnecessary data is collected
  • No forced external data sharing
  • No opaque scoring systems
  • Full transparency on findings and rules

Copyright © 2026 Sttor