SAST

SAST (under Code Security) secures your codebase before it ships. Connect a Git provider and Osto runs static analysis, software composition analysis (dependency scanning), and secret detection across your repositories — all in one place.

Path: Code Security → SAST

​

How it works

Getting started takes three steps:

​

Connect a provider

Click Connect a provider to open the connection dialog, then choose your Git host:

​

Choose how to connect

After picking a host, choose a connection method:

• Sign in with the provider — opens a secure browser window to authorize Osto. Recommended for most teams; there’s no token to copy.
• Personal Access Token — paste a token or app password. Useful for automation, air-gapped environments, or restricted organizations. You’ll give the connection a name and paste the token, then select Add connection.

​

After connecting

Once a provider is linked, SAST opens up into five tabs across the top of the page, and a top-right Report button is available throughout. Until a provider is connected, SAST shows the onboarding screen above.

​

Integrations

Your home base once connected. The top cards summarize your Connections, Repositories, Findings, and Scans, followed by a severity breakdown of all findings (Critical / High / Medium / Low) and how many are fixable. Below that, the Connections list shows each linked provider with its status, repository count, and last sync time. Use Sync to refresh a single connection (or Sync All) and Test to verify the connection still works.

​

Repositories

Every repository Osto can see, with at-a-glance counts: total repositories, how many are inaccessible, the percentage scanned, how many auto-scan on push, how many have critical findings, and how many are clean. A Top Languages panel and a Most Vulnerable panel (ranked by Osto Risk Score) sit above the table. Each row lists the repository (with an Auto-scan on push indicator when enabled), provider, branches, languages, and size. Use the per-row Scan button to run a scan on demand, or View details to drill in.

​

Scans

A record of every scan run. The summary cards cover total scans, scans in the last 7 days, anything running or queued, your success rate, average duration, and any runs with errors. The Scan Runs table lists each run with its repository, status, progress, total findings, and critical count.

​

Issues

The heart of SAST — every finding across your code. Summary cards show the Total, Critical, High, KEV (known-exploited), Fixable, and Open counts, alongside Top Rules (most-triggered rules) and Top Files (the hottest spots in your code). The findings table can be grouped (flat list, or by file, component, severity, type, or rule) and exported. Each finding shows its repository, risk score, severity, type — VULN (vulnerable dependency), SECRET (exposed credential), or SAST (code-analysis issue) — status, and the rule and message. Select View details on any finding to open the Finding Detail panel: It explains the Osto Risk Score — how CVSS severity, exploit likelihood, and known-exploited (KEV) status combine — describes the finding (with its CVE where relevant), and pinpoints the affected file, component, recommended fix version, and CWE. From the Triage section you can mark a finding as triaged to mute it (and its matches across branches and repos) when it’s a false positive, accepted risk, or a test-only path.

​

Reports

Export your current results on demand. The Download now section offers two exports:

​

Schedules

Below the on-demand exports, the Schedules area lets you automate recurring scans and have a fresh report emailed to your team when each run completes. With no schedules set up it shows “No schedules yet.” Click New schedule to open the schedule builder. The dialog has these options: Fill in the fields and select Create schedule. Each run then scans the chosen scope on the set cadence and — if email is enabled — delivers the report automatically.