CodeFence Documentation

⚡ Quickstart

Get up and running in under 2 minutes.

1. Create an account

Sign up at codefence.cc. Free tier includes 3 repos with secrets and dependency scanning.

2. Connect a repository

Go to Repositories → Connect Repo. Paste your repo URL and an optional Personal Access Token for private repos.

3. Run a scan

Click Scan Now on any repo. CodeFence runs all enabled scanners in parallel and shows results within minutes.

4. Review findings

Click View Findings to see all issues sorted by severity. Each finding includes a description, CWE reference, and AI-powered fix suggestion.

🔗 Connect a Repo

CodeFence supports GitHub, GitLab, Bitbucket, and Azure DevOps.

GitHub (recommended)

Use Browse GitHub to pick repos from your account directly — CodeFence lists all repos accessible with your PAT and lets you connect multiple at once.

Manual connection

Click Connect Repo and fill in:

• URL — full HTTPS clone URL (e.g. https://github.com/org/repo)
• Name — display name
• Provider — GitHub / GitLab / Bitbucket / Azure DevOps
• Access Token — required for private repos

Repo Tags

Tag repos with labels like production, customer-facing, or internal to filter by environment. The dashboard shows the average security score per tag group.

🔍 Running Scans

CodeFence runs 5 scanner types in parallel. Each produces a scan job you can track in real-time via the progress modal.

Scheduled Scans

Set a scan schedule per repo under Settings → Repos → Schedule: none, daily, or weekly.

🔑 Secrets Scanner

CodeFence detects 200+ secret types including AWS keys, GitHub tokens, Stripe secrets, database URLs, private keys, and more.

Live Validity Checking

For supported providers (AWS, GitHub, Stripe), CodeFence tests if a detected key is still active — not just pattern-matched. This eliminates false positives from expired demo keys.

Entropy-based detection

High-entropy strings that don't match a known pattern are flagged as possible generic secrets.

Secret Revocation workflow

When a secret is found, CodeFence tracks its revocation status: active → revoked → rotated. Update the status after you've rotated the credential.

📦 Dependency Scanner

Scans lockfiles and manifests for known vulnerabilities using three data sources.

EPSS Scores

Each vulnerability shows an EPSS score (Exploit Prediction Scoring System) — the probability that it will be exploited in the wild in the next 30 days. This helps you prioritise fixes beyond just CVSS severity.

License Detection

CodeFence flags copyleft licenses (GPL, AGPL, LGPL) that may create legal obligations, alongside permissive ones (MIT, Apache, BSD).

💻 Code Scanner (SAST)

Static analysis powered by Semgrep, covering Python, JavaScript/TypeScript, Go, Ruby, Java, and more.

Detects: SQL injection, XSS, SSRF, insecure deserialization, hardcoded credentials, weak crypto, auth bypass, and 1000+ other patterns.

AI Fix Suggestions

Every code finding includes a Claude-powered fix suggestion with an explanation of the vulnerability and the corrected code snippet.

False Positive Management

Mark any finding as a false positive with a reason. Marked findings are excluded from future scans and your security score calculation.

🏗️ IaC Scanner

Checks Terraform, Kubernetes manifests, Dockerfiles, and CloudFormation templates using Checkov.

Common findings: public S3 buckets, missing encryption, open security groups, privileged containers, missing resource limits, insecure network policies.

📦 Container Scanner

Scans Docker images for OS-level CVEs and installed package vulnerabilities using Trivy.

You can scan:

• Filesystem scan — scans the repo's filesystem for container-related vulnerabilities
• Custom image — specify an image name (e.g. nginx:1.25, node:20-alpine)

⛓️ Supply Chain

Detects three categories of supply chain attacks:

🍯 Honeytokens

Honeytokens are fake credentials that look real. If an attacker steals them and tries to use them, CodeFence alerts you immediately — giving you early breach detection.

How to use

1. Generate a honeytoken from the Honeytokens page
2. Place it in a config file, environment variable, or database record
3. If it's ever used, CodeFence sends an alert via Slack/email

Available types: AWS-style keys, GitHub tokens, generic API keys.

🔧 Auto-Remediation PRs

CodeFence can create pull requests that actually fix the issue — not just flag it.

Supported remediations:

• Dependency version bumps (upgrades to patched version)
• Secret removal / placeholder replacement
• IaC misconfiguration fixes (encryption, public access, etc.)

Requires a connected GitHub integration with write access to the repo.

🎯 PR Risk Score

Every pull request gets a 0–100 risk score computed from the files changed, new dependencies introduced, secrets detected, and historical vulnerability patterns in the changed code.

The score appears as a badge in the GitHub PR checks. High-risk PRs (score > 70) block merging until reviewed.

📋 Compliance Mapping

CodeFence maps your findings to security framework controls:

Export a compliance evidence PDF from Dashboard → Compliance → Export PDF. Required by auditors for SOC 2 and ISO 27001 certification.

📄 SBOM Generation

CodeFence generates a Software Bill of Materials in two formats:

• SPDX — Linux Foundation standard, required by US Executive Order 14028
• CycloneDX — OWASP standard, widely supported by security tooling

Download from Repos → [repo] → Download SBOM. Requires Pro plan.

🔔 Alerts

Get notified the moment a new vulnerability is found. Configure alerts under Settings → Alerts.

Channels

• Slack — webhook-based, configure in Settings → Integrations
• Email — per-user notification preferences

Alert filters

Configure minimum severity, finding type, and specific repos to avoid alert fatigue.

🐙 GitHub Integration

The GitHub integration enables:

• Automatic webhook scanning on push and pull request events
• PR risk score badge in checks
• SARIF upload to GitHub Security tab
• Auto-remediation PR creation

Setup

1. Go to Settings → Integrations → GitHub
2. Enter your GitHub Personal Access Token with repo and security_events scopes
3. CodeFence registers a webhook on your repo automatically

🦊 GitLab Integration

Similar to GitHub — CodeFence registers a webhook on push and merge request events. Requires a GitLab PAT with api scope.

💬 Slack Integration

1. Create an Incoming Webhook in your Slack workspace
2. Paste the webhook URL in Settings → Integrations → Slack
3. Click Send Test Alert to verify connectivity

Alerts are formatted with severity, finding type, repo name, and a direct link to the finding.

🔌 REST API

The full API is available at https://codefence.cc/api/v1/.

Interactive docs (Swagger UI) at codefence.cc/api/v1/docs.

Authentication

curl -X POST https://codefence.cc/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"[email protected]","password":"..."}' \
  | jq .access_token

Then pass the token as a Bearer header:

curl https://codefence.cc/api/v1/repos \
  -H "Authorization: Bearer <token>"

Trigger a scan via API

curl -X POST https://codefence.cc/api/v1/scans/dependency \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"repo_id": "<uuid>", "branch": "main"}'

💰 Pricing

CodeFence is priced per developer per month — not per repo, not per finding.

📊 Plan Comparison

Questions? Email [email protected] or start free today.