Find Source Code Vulnerabilities with Code Risk Analyzer

2 min read

Today, we are excited to announce the availability of Code Risk Analyzer in IBM Cloud Continuous Delivery.

Reducing the risk of incorporating vulnerabilities into your code is critical to successful development. As open source, containers, and cloud native technologies are becoming increasingly common and important, shifting monitoring and testing to earlier in the development lifecycle — "shift-left" — can save time, money, and resources that are better spent innovating and delivering new applications to your customers. 

Today, IBM is excited to announce Code Risk Analyzer, a new feature of IBM Cloud Continuous Delivery. Developed in conjunction with IBM Research projects and customer feedback, Code Risk Analyzer enables developers like you to quickly assess and remediate security and legal risks that they are potentially introducing into your source code and provides feedback directly in your Git artifacts (for example, pull/merge requests). Code Risk Analyzer is provided as a set of Tekton tasks, which can be easily incorporated into your delivery pipelines.

Watch Code Risk Analyzer in action

Key Code Risk Analyzer capabilities

Code Risk Analyzer provides the following capabilities by scanning your Git-based source repositories (IBM Cloud Continuous Delivery Git Repos and Issue Tracking or GitHub) for know vulnerabilities. Capabilities include the following:

Vulnerability scans

Code Risk Analyzer allows you to discover vulnerabilities in your application (Python, Node.js, Java) and OS stack (base image) based on rich threat intelligence from Snyk and Clair, and provides fix recommendations. 

  • We have partnered with Snyk to integrate their comprehensive security coverage to help you automatically find, prioritize, and fix vulnerabilities in open source dependencies and containers early in your workflow. The Snyk Intel Vulnerability database is continuously curated by an experienced Snyk Security Research Team to enable teams to be optimally efficient at containing open source security issues, while maintaining your focus on development.  
  • Clair is an open source project for the static analysis of vulnerabilities in application containers. Because it scans images using static analysis, it can analyze images without a need to run their container.

Deployment analysis

Code Risk Analyzer can discover misconfigurations in your Kubernetes deployment files based on industry standards and community best practices. 


Code Risk Analyzer generates a Bill-of-Materials (BoM) accounting for all the dependencies and their sources for your application. In addition, the BoM-Diff capability allows you to compare differences in any dependency with respect to base branches in source code.

Get started today

Code Risk Analyzer is included as part of IBM Cloud Continuous Delivery and works with IBM Cloud Continuous Delivery Git Repos and Issue Tracking, GitHub, and GitHub Enterprise repositories. Code Risk Analyzer uses Tekton pipelines to run its scans through new toolchain templates and Tekton task definitions. Initially, Code Risk Analyzer is available in the Dallas (US-South) region only.

More resources

  • Read the IBM Research blog on Code Risk Analyzer.
  • For more information on Code Risk Analyzer, see the documentation
  • If you have any questions, get help directly from the IBM Cloud development teams by joining us on Slack.

Be the first to hear about news, product updates, and innovation from IBM Cloud