Read a finding, fix it, ship.
The marketing page /security covers what the gate does. This page is the practical one — what to do when a deploy comes back FAILED with a security block.
The eight checks
Run in parallel before the build starts. The first six are always blocking; CVE is conditional; RLS is informational.
| Tool | Category | Severity | Gate | Note |
|---|---|---|---|---|
| gitleaks | SECRETS | CRITICAL | BLOCK | AWS/GitHub/Stripe keys, private keys, OAuth secrets accidentally committed. |
| semgrep · coday-injection-* | INJECTION | CRITICAL | BLOCK | Raw SQL with req.* interpolation, $queryRawUnsafe with concat, exec/spawn with request input. |
| semgrep · coday-ssrf-* | SSRF | HIGH | BLOCK | fetch/axios URL coming from req.body/query/params/headers. |
| semgrep · coday-react-* / dom-* / eval-* | XSS | HIGH | BLOCK | dangerouslySetInnerHTML, innerHTML writes, eval, new Function. |
| semgrep · coday-auth-* | AUTH | CRITICAL | BLOCK | Exported Next.js API route handler with no recognized auth/session call. |
| semgrep · coday-env-* | ENV | CRITICAL | BLOCK | process.env values written to console, returned in API response, or thrown in Error. |
| pnpm/npm audit | CVE | CRITICAL+fix → BLOCK, others → WARN | WARN | Critical advisories with a published patched version block; everything else surfaces as a warning. |
| coday-rls | RLS | LOW | WARN | Heuristic FK / multi-tenant column scan in prisma/schema.prisma. Warn-only. |
When a deploy is blocked
- 1. The deploy row on Project → Deployments shows FAILED with an error of the form SECURITY_SCAN_BLOCK[scanId]: N blocking finding(s). A N blocking button appears on the row.
- 2. Click it (or open Project → Security directly). The scan is selected automatically. Blocking findings appear at the top; informational and already-acknowledged findings below.
- 3. Each finding has the file path + line, the matched rule, a one-line message, and a remediation suggestion. Fix it in your repo and push — the next deploy re-scans.
- 4. If the finding is a false positive (or intentionally accepted), click Acknowledge. Coday requires a short reason (saved to the audit log). The next scan keeps the same finding visible but downgrades it from BLOCK to WARN, and the deploy proceeds.
Repo-side opt-out (.codayignore)
For patterns you know should never trip a rule, commit a .codayignore file at your repo root. Each line follows the format tool/rule-id: path-glob # optional reason — matched findings are auto-acknowledged with ackedBy = __codayignore__ for the audit trail.
# Placeholder secrets in fixtures gitleaks/generic-api-key: tests/fixtures/** # Sanitized HTML in our blog renderer semgrep-xss/coday-react-dangerously-set-innerhtml: app/blog/[slug]/page.tsx
What the gate does not do
Coday's gate is static — it reads source, lockfile, and prisma schema. It does not run your tests, exercise endpoints at runtime, or reason about business-logic authorization (whether a given user should access a given record). Those still belong in your test suite and review process.
Read /security for the marketing overview and the honest OWASP coverage matrix.