Sttor Code Overview

Sttor Code is the "code security" layer inside DevSecOps Bot by Sttor. It continuously scans source code and pull requests to find and fix security issues early, reduce noise, and produce compliance-ready outputs.

What Sttor Code scans

Sttor Code focuses on security and compliance signals that come directly from your repositories:

• SAST (Application Security): insecure code patterns and risky data flows (language-aware).
• SCA (Dependencies): vulnerable third-party libraries and transitive dependency risk (including reachability when available).
• Secrets Detection: accidental credentials and tokens committed in code.
• IaC Security (when enabled in Sttor Code scope): misconfigurations in Terraform/OpenTofu/K8s manifests/Dockerfile, etc.
• License Compliance (when enabled in Sttor Code scope): license identification + policy checks (e.g., Apache, MIT, GPL/AGPL).
• SBOM (Branch-level): SBOM generated per branch for traceability and reporting.
• Reports (planned/expanding): SOC 2, PCI DSS, RBI framework, NIST mappings from findings to controls.

Note: Today Sttor Code supports GitHub. Bitbucket/GitLab are planned.

Execution model

Sttor Code is designed to work in CI-like workflows without forcing teams to change how they develop:

Triggers

• Automatic scans on every Pull Request and every push (based on your configured GitHub connection and scan settings).
• On-demand branch scans from the UI (useful for baselines, audits, and periodic checks).

Where scanning runs

You can run scanning in multiple modes:

• Sttor-hosted scanning (SaaS) for fast onboarding.
• Enterprise / in-house scanner for regulated environments (scanner can run on-prem).

Where data is stored

• Tenant data is stored in your own S3-compatible bucket (including "in-house hosting of bucket" for enterprise).
• Sttor does not store tenant scan data; the platform reads/writes via your configured storage boundary.