Today, we are excited to announce the availability of Code Risk Analyzer in IBM Cloud Continuous Delivery.

Reducing the risk of incorporating vulnerabilities into your code is critical to successful development. As open source, containers, and cloud native technologies are becoming increasingly common and important, shifting monitoring and testing to earlier in the development lifecycle — “shift-left” — can save time, money, and resources that are better spent innovating and delivering new applications to your customers. 

Today, IBM is excited to announce Code Risk Analyzer, a new feature of IBM Cloud Continuous Delivery. Developed in conjunction with IBM Research projects and customer feedback, Code Risk Analyzer enables developers like you to quickly assess and remediate security and legal risks that they are potentially introducing into your source code and provides feedback directly in your Git artifacts (for example, pull/merge requests). Code Risk Analyzer is provided as a set of Tekton tasks, which can be easily incorporated into your delivery pipelines.

Watch Code Risk Analyzer in action

Key Code Risk Analyzer capabilities

Code Risk Analyzer provides the following capabilities by scanning your Git-based source repositories (IBM Cloud Continuous Delivery Git Repos and Issue Tracking or GitHub) for know vulnerabilities. Capabilities include the following:

Vulnerability scans

Code Risk Analyzer allows you to discover vulnerabilities in your application (Python, Node.js, Java) and OS stack (base image) based on rich threat intelligence from Snyk and Clair, and provides fix recommendations. 

  • We have partnered with Snyk to integrate their comprehensive security coverage to help you automatically find, prioritize, and fix vulnerabilities in open source dependencies and containers early in your workflow. The Snyk Intel Vulnerability database is continuously curated by an experienced Snyk Security Research Team to enable teams to be optimally efficient at containing open source security issues, while maintaining your focus on development.  
  • Clair is an open source project for the static analysis of vulnerabilities in application containers. Because it scans images using static analysis, it can analyze images without a need to run their container.

Deployment analysis

Code Risk Analyzer can discover misconfigurations in your Kubernetes deployment files based on industry standards and community best practices. 


Code Risk Analyzer generates a Bill-of-Materials (BoM) accounting for all the dependencies and their sources for your application. In addition, the BoM-Diff capability allows you to compare differences in any dependency with respect to base branches in source code.

Get started today

Code Risk Analyzer is included as part of IBM Cloud Continuous Delivery and works with IBM Cloud Continuous Delivery Git Repos and Issue Tracking, GitHub, and GitHub Enterprise repositories. Code Risk Analyzer uses Tekton pipelines to run its scans through new toolchain templates and Tekton task definitions. Initially, Code Risk Analyzer is available in the Dallas (US-South) region only.

More resources

  • Read the IBM Research blog on Code Risk Analyzer.
  • For more information on Code Risk Analyzer, see the documentation
  • If you have any questions, get help directly from the IBM Cloud development teams by joining us on Slack.


More from Announcements

IBM TechXchange underscores the importance of AI skilling and partner innovation

3 min read - Generative AI and large language models are poised to impact how we all access and use information. But as organizations race to adopt these new technologies for business, it requires a global ecosystem of partners with industry expertise to identify the right enterprise use-cases for AI and the technical skills to implement the technology. During TechXchange, IBM's premier technical learning event in Las Vegas last week, IBM Partner Plus members including our Strategic Partners, resellers, software vendors, distributors and service…

Introducing Inspiring Voices, a podcast exploring the impactful journeys of great leaders

< 1 min read - Learning about other people's careers, life challenges, and successes is a true source of inspiration that can impact our own ambitions as well as life and business choices in great ways. Brought to you by the Executive Search and Integration team at IBM, the Inspiring Voices podcast will showcase great leaders, taking you inside their personal stories about life, career choices and how to make an impact. In this first episode, host David Jones, Executive Search Lead at IBM, brings…

IBM watsonx Assistant and NICE CXone combine capabilities for a new chapter in CCaaS

5 min read - In an age of instant everything, ensuring a positive customer experience has become a top priority for enterprises. When one third of customers (32%) say they will walk away from a brand they love after just one bad experience (source: PWC), organizations are now applying massive investments to this experience, particularly with their live agents and contact centers.  For many enterprises, that investment includes modernizing their call centers by moving to cloud-based Contact Center as a Service (CCaaS) platforms. CCaaS solutions…

See what’s new in SingleStoreDB with IBM 8.0

3 min read - Despite decades of progress in database systems, builders have compromised on at least one of the following: speed, reliability, or ease. They have two options: one, they could get a document database that is fast and easy, but can’t be relied on for mission-critical transactional applications. Or two, they could rely on a cloud data warehouse that is easy to set up, but only allows lagging analytics. Even then, each solution lacks something, forcing builders to deploy other databases for…