Skip to content

Sttor Documentation

Appearance

Sidebar Navigation

Homepage

Introduction

What is DevSecops

Platform scope

How Sttor is different

Architecture overview

Security & trust model

Getting Started

Create a tenant

Custom domain setup

User roles & access

Connecting GitHub

First pull request scan

First branch scan

Core Concepts

Tenant model

Repositories & branches

Scan types (PR vs Branch)

Issues vs rules vs alerts

Severity, score & grades

CI vs posture vs runtime

SBOM scope & lifecycle

AI assistance (scope & safety)

Sttor Code

Overview

What Sttor Code scans

Execution model

Scan Types

Pull Request scans

Branch scans

Security Domains

SAST (Application Security)

Overview

Java

Python

Go

Rust

JavaScript / TypeScript

Other languages

SCA (Dependencies)

Overview

Dependency discovery

Vulnerability detection

Reachability analysis

Remediation strategy

Secrets Detection

Overview

API keys & tokens

Cloud credentials

Suppressions & rotation

IaC Security

Overview

Terraform

OpenTofu

AWS CDK

Dockerfile

Kubernetes manifests

Other IaC formats

License Compliance

Overview

Apache License

MIT License

GPL

AGPL

BSD

Restricted & custom licenses

Issue Management

Issue lifecycle

Status & resolution

Suppressions & exceptions

Historical tracking

SBOM

Branch-level SBOM

What is included

Export formats

Reports & Compliance

Overview

SOC 2

PCI DSS

RBI Cyber Security Framework

NIST

Rule Catalog

Overview

Rule naming & IDs

SAST Rules

Java rules

Python rules

Go rules

Rust rules

JS/TS rules

Ruby rules

C and C++ rules

PHP rules

Cairo rules

Scala rules

Swift rules

Solidity rules

C# rules

SCA Rules

Secrets Rules

IaC Rules

Terraform rules

Dockerfile rules

Kubernetes rules

CloudFormation rules

ARM rules

Serverless rules

Other rules

License Rules

Apache

MIT

GPL

AGPL

Custom policies

Sttor Containers

Overview

CI image scanning

GitHub Actions setup

Vulnerability detection

Secrets in images

Image SBOM

CIS Docker Benchmark

Policies & blocking

Sttor Kubernetes

Overview

Cluster onboarding

Posture management

Access Analyzer

Runtime detection

Image inventory

Scoring & grading

CIS Kubernetes Benchmark

Reports & Compliance

Overview

Code compliance

SOC 2

PCI DSS

RBI

NIST

Container compliance

CIS Docker

Kubernetes compliance

CIS Kubernetes

Administration

Users & roles

Invitations & lifecycle

Tenant settings

Custom domain

Tokens & secrets

Notifications (Slack)

Data retention

Deployment Models

SaaS deployment

On-Prem Deployment

Overview

Architecture

Network & data flow

Security boundaries

Upgrade strategy

Responsibilities

Integrations

GitHub

Slack

Bitbucket (planned)

GitLab (planned)

Reference

Rule taxonomy

Severity definitions

SBOM formats

Compliance mappings

Glossary

On this page

AWS CDK

What’s scanned

CDK project definitions (language-based IaC) and generated or defined infrastructure patterns
High-risk configurations: public endpoints, wide permissions, missing encryption/logging

How to think about CDK scanning

CDK is code-driven IaC; issues are still raised as IaC Security findings and tied to your rules, not just code smells.

Pager

Previous pageOpenTofu

Next pageDockerfile

Copyright © 2026 Sttor