Skip to main content

Source Code Integrations

Updated over 3 weeks ago

Ghost’s Source Code Integrations enable deep application and API security insights by connecting directly to your source code repositories. These integrations power advanced static analysis and business logic vulnerability detection—without compromising the privacy or integrity of your code.

Overview

Ghost connects to your source code management (SCM) systems to unlock Contextual Application Security Testing (CAST) and AI-driven SAST Triage. These capabilities give you full-spectrum visibility into your applications, exposing hidden API risks, validating static findings with AI, and accelerating secure development.

Source code is handled securely in ephemeral infrastructure, never stored at rest, and never used to train AI models.

Key Capabilities

Contextual Application Security Testing (CAST)

CAST is Ghost’s next-generation security engine that augments static analysis with runtime context and intelligent correlation. It surfaces critical vulnerabilities, especially business logic flaws that traditional tools miss.

With source code connected, Ghost can:

  1. Discover APIs Automatically
    Parses codebases to construct API specifications, no OpenAPI spec required.

  2. Detect Business Logic Vulnerabilities
    Ghost identifies complex security issues such as:

    • Authorization bypass

    • Broken Object-Level Authorization (BOLA)

    • Insecure direct object references (IDOR)

    • Race conditions

    • Role confusion or privilege escalation

  3. Correlate to Runtime
    Determines if a vulnerability matters based on:

    • Deployment location (e.g. staging vs production)

    • Data sensitivity (e.g. PCI, PHI, PII)

    • Exposure (e.g. internet-facing vs internal-only)

  4. Map Code to Live APIs
    Associates source code with observed API usage, giving teams traceability from runtime to repo.

  5. Expose Unauthenticated & Unprotected APIs
    Ghost has identified numerous authentication and authorization flaws in customer environments—issues that had gone undetected by traditional tools.

SAST Triage with AI

Ghost reduces alert fatigue by ingesting and validating static analysis findings from your existing tools.

How it works:

  • Ingest from Third-Party SAST Tools
    Supports popular tools like Semgrep and others via flexible integrations.

  • Validate Findings Using AI Agents
    Ghost determines exploitability of each issue—no more manual sorting of thousands of “maybe”s.

  • Generate Risk Reports
    Each validated vulnerability includes a clear explanation and recommended fix.

  • Highlight Actionable Issues Only
    Flag “Active Vulnerabilities” for exploitable flaws and “Not Exploitable Risks” for findings of lesser importance.

Security Architecture

We built Ghost with security as a first principle—your code remains private, and access is strictly controlled.

Ephemeral Code Scanning

  • No Persistent Storage: Source code is never stored at rest. It is cloned temporarily into secure, short-lived containers.

  • Isolation by Design: Scanning tasks run in per-tenant GCP environments with least-privilege permissions.

  • Secure Cleanup: After scans complete, all containers and local data are destroyed.

Secret & Credential Management

  • Stored in Google Cloud Secret Manager: API tokens are encrypted with AES-256 and restricted to specific scanning services.

  • Minimal Access Scope: Ghost requests read-only access to selected repositories—nothing more.

  • Audit Logging: All secret access and scan executions are logged for full traceability.

Responsible AI Use

  • No Data Used for Model Training: Ghost does not use your code or metadata to train AI models.

  • Scoped Context Only: AI only analyzes minimal code segments relevant to the vulnerability being assessed.How It Works

Integration Setup

GitHub Integration

  1. Install the Ghost GitHub App
    From the Settings > Source Code page, click Add source code connection and follow the link in the Ghost UI to install the App into your GitHub org.

  2. Authenticate & Sync

    OAuth securely connects your org to Ghost. Repositories are synced automatically.

  3. Scan & Analyze

    Ghost performs analysis in an ephemeral environment. Only findings are retained.

GitLab Integration

  1. Create a Read-Only Group Access Token (GAT)
    Scoped to a selected set of projects.

  2. Create a GitLab Connection in Ghost
    From the Settings > Source Code page, click Add source code connection, select GitLab, and enter your GAT.

  3. Authenticate & Sync

    Ghost securely connects to your GitLab org. Repositories are synced automatically.

  4. Scan & Analyze

    Ghost performs analysis in an ephemeral environment. Only findings are retained.

Benefits to Security & Engineering Teams

  • Security Teams: Identify real risks, validate third-party findings, and uncover hidden API flaws.

  • Developers: Get clear, actionable guidance with minimal friction. No login required—Ghost fits your flow.

  • AppSec Leaders: Demonstrate control over code-to-runtime posture with less manual effort.

Supported Platforms

Platform

Status

GitHub

Supported

GitLab

Supported

BitBucket

Planned

Azure DevOps

Planned

Getting Started

  1. Log in to the Ghost Platform.

  2. Navigate to Settings > Source Code Connections > Add source code connection.

  3. Select your SCM.

  4. Follow the setup instructions to connect your source code.

Want to See It in Action?

Schedule a demo to see how Ghost’s Source Code Integrations deliver clarity, precision, and peace of mind for your AppSec workflows.

Did this answer your question?