Skip to content

SecureObs Documentation

SecureObs is a private-beta security findings platform for small engineering teams. It runs open-source scanners in your CI pipeline, deduplicates noisy results, gives findings a persistent dashboard, and can fail builds when blocking issues are present.

Private beta

SecureObs is not enterprise-ready, not externally audited, and not certified for SOC 2, ISO 27001, HIPAA, FedRAMP, or similar frameworks. These docs are intentionally direct about what is built today and what is still limited.

  • Start scanning

    Add SecureObs to GitHub Actions or Azure DevOps in under 10 minutes.

    → Getting started

  • Understand the scanner image

    Learn how secureobs/scanner runs Semgrep, Gitleaks, Trivy, Bandit, ESLint security, OSV-Scanner, and Checkov.

    → Scanner image

  • Use build gates

    Fail a pipeline only when findings match your project's blocking policy.

    → Build gate

  • Review infrastructure risk

    Use the Terraform infrastructure graph to connect IaC findings to topology.

    → Infrastructure graph

What SecureObs Does

SecureObs gives security scanner results a stable place to live:

  • runs scanners from a versioned Docker image in your own CI environment;
  • fetches scanner enablement from the SecureObs API at runtime;
  • ingests findings into a tenant-scoped dashboard;
  • deduplicates repeated and overlapping findings;
  • supports suppressions with audit history;
  • exposes SARIF export for compatible downstream tools;
  • evaluates build gates per pipeline run.

How It Fits

flowchart LR
  Repo["Repository"] --> CI["CI pipeline"]
  CI --> Scanner["secureobs/scanner"]
  Scanner --> Api["SecureObs API"]
  Api --> Store[("Tenant data")]
  Api --> Dashboard["Dashboard"]
  Scanner --> Gate["Build gate result"]

Terraform analysis follows the same boundary: analysis runs in your CI runner or in a short-lived managed runner, sanitizes data locally, and uploads only the allowlisted topology and findings.

Common Paths