Security · SAST

DevSecOps without pipelines.

Pre-deploy SAST, severity-based policy gating, multi-CI. Flip a toggle on a project - before every release the scanner runs over the code, findings appear in the same deploy tab, and policy decides whether it can ship.

zero-config GitLab · Azure · GitHub policy gating audit

SAST in classic DevOps is separate overhead: set up a CI template, write a config per language, agree on a severity policy, wire reports into the pipeline and not forget gating. Often there's no time - so the check is either a checkbox or never runs.

In Opsy, security checks are built into deploy. No separate pipelines or YAML configs.

Zero-config

Opsy picks the scanner by project type.

It detects the language from repository contents and selects relevant scanners. No setup - enable pre-deploy checks and the project picks up the configuration.

Java (Maven / Gradle)Semgrep + SpotBugs
PythonSemgrep + Bandit
GoSemgrep + gosec
Node / JS / TSSemgrep + njsscan
Any languageTrivy fs + npm/pip/go audit
Customplugin selection via UI / API

Want more precision - turn off auto-select and pick a specific set of plugins. The architecture is pluggable: each scanner is a separate module, and new ones are added without touching core.

Multi-CI

SAST in GitLab, Azure DevOps and GitHub - without extra licenses.

In the classic setup, security features are tied to the provider (GitLab Ultimate, GitHub Advanced Security). Opsy gives one UX over all three: the same SAST stage is injected into the pipeline, and artifacts are collected and parsed into a common findings format.

GitLab CI

SAST stage injection

A stage in .gitlab-ci.yml, reading artifacts from the job.

Azure DevOps

Step in Azure Pipelines

Reading build artifacts via REST API.

GitHub Actions

Workflow job with SAST

Artifacts pulled via GitHub API + ZIP.

Policy gating

Severity blocks the deploy to Kubernetes.

An org-level severity matrix (part of Policy & governance): critical blocks, high warns, the rest is shown. The decision is visible right in the deploy UI.

Critical
Block
High
Warn
Medium
Info
Low
Info
Info
Info

Example of what an engineer sees on deploy:

Audit

All SAST-run history is tied to the deploy.

Every scanner run is stored at the org level: who initiated the deploy (via RBAC), which commit, which findings, whether there was a gating decision and who approved it. For incident review and compliance: «show who shipped to prod with open criticals and when».

Security at the entrance, not after an incident.

We'll deploy into a test environment and go through your security checklist.