Secure Coder

Edit online

Secure Coder helps development and security teams identify, assess, and remediate security vulnerabilities throughout the software development lifecycle. Secure Coder integrates with IBM Concert to provide vulnerability scanning, exposure visibility, remediation recommendations, and guided remediation workflows across development and delivery environments.

How Secure Coder works

Secure Coder supports vulnerability management throughout the software delivery lifecycle:
  1. Identify vulnerabilities by scanning source code, dependencies, repositories, and Kubernetes manifests.
  2. Review scan findings, security exposures, and remediation recommendations in the IDE or IBM Concert.
  3. Remediate vulnerabilities by applying recommended fixes, upgrading vulnerable dependencies, or using AI-assisted remediation recommendations where available.
  4. Validate remediations by rerunning scans and reviewing updated results.
  5. Track remediation activities and vulnerability status in IBM Concert.

Secure Coder experiences

Secure Coder provides two complementary experiences:

Concert Secure Coder (IDE extension)

An IDE-based experience for Visual Studio Code and IBM Bob that enables developers to:
  • Scan files and repositories for security vulnerabilities.
  • Detect exposed secrets.
  • Identify Kubernetes manifest configuration issues.
  • Analyze open source dependencies.
  • Apply AI-assisted remediation recommendations where available.
  • View security exposures that are synchronized from IBM Concert.

IBM Concert Secure Coder in the browser

A browser-based experience within IBM Concert that enables users to:
  • Review remediation actions that are generated from vulnerability findings.
  • Review package dependency vulnerabilities and their impact.
  • Evaluate remediation plans and guided remediations.
  • Upgrade vulnerable dependencies.
  • Review and validate remediation results.
  • Generate pull requests and track remediation progress.

The IDE extension and browser experience can be used together to provide a consistent remediation workflow across development and delivery stages. Developers can identify and remediate issues during code development, while teams can review and address package dependency vulnerabilities that are discovered later through CI/CD pipelines, software composition analysis (SCA), and other security scanning processes.