Integration and feature matrix

This topic provides an overview of the integration options available for FortiCNAPP Code Security and the features supported by each integration type and Git provider.

Integration types

Code Security offers two primary integration approaches:

Integration type	Description	Best for
SCM application integration	Install the Code Security app directly into your GitHub, GitLab, or Bitbucket organization. Provides automatic scanning on Git events with full SDLC integration.	Teams wanting turnkey setup with automatic PR scanning and minimal configuration
CI/CD pipeline integration	Run Code Security scanning tools within your existing CI/CD pipelines using binary tools or CLI.	Teams with existing pipeline infrastructure or requiring custom workflow control

SCM application integration

The SCM application integration installs directly into your source control management platform, providing seamless security scanning without modifying your CI/CD pipelines.

The following table lists supported Git providers:

Provider (SCM application)	Cloud	Self-hosted
GitHub	✓	Not available
GitLab	✓	Not available
Bitbucket	✓	Not available
Azure DevOps	Not available	Not available

The following table lists features supported by Git provider:

Feature	GitHub	GitLab	Bitbucket
Scanning capabilities
Infrastructure-as-Code (IaC)	✓	✓	✓
Software Composition Analysis (SCA)	✓	✓	✓
Static Application Security Testing (SAST)	✓	✓	✓
Secrets detection	✓	✓	✓
License compliance	✓	✓	✓
PR/MR integration
PR status checks	✓	✓	✓
PR comments with findings	✓	✓	✓
Block PR on violations	✓	✓	✓
Scan triggers
Onboarding scan	✓	✓	✓
PR/MR created	✓	✓	✓
Commits to PR branch	✓	✓	✓
PR merged (rescan default branch)		✓	✓
New repository added	✓	✓	✓
Weekly scheduled scan	✓	✓	✓
Ad hoc scan from console	✓	✓	✓
Configuration
UI-based settings	✓	✓	✓
codesec.yaml file support	✓	✓	✓
Repository-level settings	✓	✓	✓
Codespace-level settings	✓	✓	✓

CI/CD pipeline integration

CI/CD integration allows you to run Code Security scanning tools directly within your existing pipeline infrastructure using binary tools.

The following table lists features supported by the CI/CD pipeline:

Feature	GitHub Actions	GitLab CI/CD	Azure DevOps	Bitbucket Pipelines
Scanning capabilities
Infrastructure-as-Code (IaC)	✓	✓	✓	✓
Software Composition Analysis (SCA)	✓	✓	✓	✓
Static Application Security Testing (SAST)	✓	✓	✓	✓
Secrets detection	✓	✓	✓	✓
License compliance	✓	✓	✓	✓
Pipeline integration
Exit code on violations IaC	✓	✓	✓	✓
Exit code on violations SCA	Not yet supported	Not yet supported	Not yet supported	Not yet supported
SARIF output for IaC	Not yet supported	Not yet supported	Not yet supported	Not yet supported
SARIF output for SCA	✓	✓	✓	✓
JSON output	✓	✓	✓	✓
PR commenting*
IaC findings as PR comments	✓	✓	✓	✓
SCA findings as PR comments	✓	✓	✓	✓

*PR commenting capability for CI/CD pipeline integrations is available for GitHub, GitLab, Bitbucket, and Azure DevOps. This allows IaC and SCA binary tool results to be posted directly to pull requests.

IaC-only integration

The following table lists features supported by CI/CD integrations providers that support Infrastructure-as-Code (IaC) only:

Feature	Jenkins	Atlantis
Scanning capabilities
Infrastructure-as-Code (IaC)	✓	✓
Pipeline integration
Exit code on violations IaC	✓	✓
JSON output	✓	✓

Choosing an integration approach

The following table compares SCM applications against CI/CD pipeline:

Consideration	SCM application	CI/CD pipeline
Setup complexity	Low (install application, select repositories)	Medium (configure pipeline jobs)
Maintenance	Automatic updates	Automatic if using FortiCNAPP images
Scan triggers	Automatic on Git events	Triggered by pipeline execution
PR commenting	Built-in	Not yet supported
Custom workflow control	Limited	Full control
Self-hosted runners	Not required	Can use self-hosted runners
Network requirements	Outbound to Fortinet	Outbound to Fortinet
Results location	FortiCNAPP console	FortiCNAPP console and pipeline logs
Data residency	Code is scanned in FortiCNAPP data center where the process is clone, scan, and delete	Code is scanned in the cloud where the pipeline process is running and on-prem

As shown in the table, choosing an SCM application or CI/CD pipeline integration in dependent on multiple factors:

• Use an SCM application integration when:

  • You want automatic scanning with minimal configuration.

  • PR commenting and status checks are important to your workflow.

  • You prefer centralized management through the FortiCNAPP console.

  • Your repositories are in GitHub SaaS, GitLab SaaS, or Bitbucket Cloud.

• Use a CI/CD pipeline integration when:

  • You need fine-grained control over when and how scans run.

  • You have existing pipeline infrastructure you want to leverage.

  • You're using GitLab Self-Managed, Azure DevOps, Jenkins, or other CI/CD platforms not supported by an SCM application.

  • You want to integrate scanning into custom workflow stages.

  • You need to scan in air-gapped or restricted network environments.

• Use both integrations together when:

  • You want automatic PR scanning (SCM application) plus additional scanning stages in your pipeline.

  • Different teams have different requirements.

  • You're migrating between approaches.

IDE integration

In addition to SCM and CI/CD integrations, Code Security offers IDE extensions for shift-left security:

IDE	SCA	SAST	IaC	Secrets
VS Code	✓	✓	✓	✓
Cursor	✓	✓	✓	✓
Windsurf	Not yet supported	Not yet supported	Not yet supported	Not yet supported
IntelliJ IDEA	Not yet supported	Not yet supported	Not yet supported	Not yet supported
PyCharm	Not yet supported	Not yet supported	Not yet supported	Not yet supported
GoLand	Not yet supported	Not yet supported	Not yet supported	Not yet supported
RubyMine	Not yet supported	Not yet supported	Not yet supported	Not yet supported

For more information, see IDE extensions.

Related topics

See the following topics for more information:

• Integrating with an SCM

• Integrate with a CI/CD pipeline

• Code Security support matrix

• Pull request commenting