Use code detection

Step 1: Create a detection strategy

1. Log on to the Codeup homepage. In the left-side navigation pane, choose .

2. Configure the detection strategy.

   The platform provides several built-in strategies. You can also copy an existing strategy or create a new one that meets your needs.

   1. Built-in strategy

      You can copy a built-in strategy or create your own strategy as needed.

      In the list on the left, select a built-in strategy (for example, Python recommended detection strategy). You can click Copy/edit strategy in the upper-right corner to copy and customize the strategy, or click the Copy strategy button to quickly copy it. You can also click Add rule to add a new rule package to the strategy.

   2. Copy a strategy

      Select a recommended detection strategy to copy. In the Add detection strategy dialog box that appears, select Copy an existing strategy, enter a Strategy name and Strategy description, select the target strategy from the Select strategy drop-down list, and click OK.

   3. Create a new detection strategy. In the Add detection strategy dialog box, select Create a new strategy, enter a Strategy name and Strategy description. In the Add rule package area, select a language (for example, TypeScript, Node.js, Python, Go, C/C++, or Lua). Then, click Add rule package to select the required rule packages from the list for the corresponding language, and click OK.

   4. Compile configuration

      Note

      To avoid repeatedly entering compilation parameters, we recommend setting the Default compile configuration in the strategy.

      If you do not configure a compilation command, the detection task fails due to missing compilation parameters.

      In the detection rule list, rule packages that require compilation, such as Java security detection, have their compilation requirements specified in the description. Configure the compilation settings as prompted by the detection rule. Click Default compile configuration. In the dialog box that appears, select a Compilation environment (for example, JDK 1.8, OpenJDK 11, JDK 17, or JDK 21), and click OK to save.

Step 2: Adjust the strategy content

After you select a detection strategy, you can adjust its rules and configuration as needed.

1. Adjust the detection rule content.

   For each rule, you can edit its severity level. Some rules also allow you to customize detection parameters, such as using regular expressions to limit the detection scope. You can also disable unsuitable rules or re-enable them.

   Warning

   Disabling a rule has the following effects:

   • Issues found by the rule are automatically closed after the next detection run.

   • When you run the current detection strategy, the rule is not executed.

   For example, click a rule to open the edit dialog box. You can then adjust the level in the Severity level drop-down list (critical, warning, or suggestion), or configure custom regular expression parameters in the rule details.

2. Associate the detection strategy with a detection task. On the detection strategy details page, go to the Associated code tab. If no detection task is associated, click the Create detection task button to associate one.

   Create a new detection task. In the Create detection task dialog box that appears, select a Code source type (for example, Codeup), select a code repository and detection strategy, select a Trigger method (for example, on commit or on merge request), and click Create and execute.

3. All changes to the detection strategy are recorded in the strategy's change history.

4. Adjust the detection strategy settings.

   On the Settings page of the plan, you can change the plan name, enter a description, configure the file whitelist for detection, and click Save.

   Files in whitelisted paths are automatically skipped during detection.

   Important

   Before deleting a strategy, ensure that it is not associated with any detection task. If it is, you must first disassociate it from the detection tasks to avoid affecting running tasks.

Step 3: Associate a strategy with a code repository

After you associate a strategy with a code repository, it becomes a runnable detection task. You can create a maximum of one detection task per code repository. This task can be run multiple times on different branches.

1. Go to and click Create detection task. On the Detection tasks page, you can view the run status and detection statistics of existing tasks.

2. Select an appropriate detection task configuration. In the Detection strategy drop-down list, you can select a built-in strategy (such as Java recommended detection strategy or Python recommended detection strategy) or a custom strategy.

3. In addition to manual triggers, you can set up automatic triggers for a detection task, including commit triggers and merge request triggers. If you select a commit trigger, you must specify the branches to monitor, and regular expressions are supported. If you select a merge request trigger, any merge request in the repository triggers a scan of the code changes between the source branch and the destination branch.

   Note

   • For detection packages that require compilation at runtime, you must set compilation parameters. If a default compilation configuration has been set in the detection strategy, the configuration is automatically inherited and populated on the detection task creation page. You can also modify the compilation configuration for the detection task. These modifications affect only the current detection task and do not alter the detection strategy.

   • After you select the "I have read and agree to the code detection service agreement" checkbox, you can immediately create the task and run a code scan on the default branch.

   • You can also run scans on specific branches later using automatic or manual triggers.

Step 4: View detection results

• View results in the detection task.

  Go to the detection task, select Overview, and view the results of the most recent successful full detection and the list of issues for the current branch.

  • The Overview tab contains:

    • Detection result: The pass/fail status, along with the corresponding number of issues and the quality gate threshold.

    • Issue overview: The number of unresolved and resolved issues.

    • Issue severity distribution: The distribution of critical, warning, and suggestion issues.

    • Issue type distribution: The distribution of security and coding standard issues.

    • Distribution by contributor: The number of issues of various types introduced by different users.

    • Rules with the most critical issues: A ranking of rules that triggered the most critical issues.

    • Issue trend: The trend of outstanding issues for each severity level.

  • Issue list

    The issue list is sorted by severity level and resolution status. Click an issue row to view its details. You can ignore an issue to prevent it from being reported again in that branch.

  • Run history

    The code detection service runs on the Flow pipeline. If a detection run fails, you can click View run log on the page to go to Flow and view the error log to troubleshoot the issue.

    If the latest detection run failed, the detection task details page retains the results of the last successful run and displays an alert with the failure time. You can go to the execution log to investigate and resolve the issue.

• View detection results in code repository commits and merge requests.

  • Commit detection results

    In the commit and branch views, if a specific commit has code detection results, you can quickly view them on a card in the list. Click the card to view the issue details.

  • Merge request detection results

    If a merge request trigger is selected, you can see the results of the automated scan in the merge request list and in the merge conditions section of the merge details.

    After the run is complete, click View Details to see the detected issues in the file changes view of the current merge request. Click an issue to go directly to the corresponding line of code.

FAQ