ZC ZelCodeZelFIRE Suite
AI-powered code security

Find risky code before it ships.

ZelCode gives security and engineering teams one focused place to scan repositories, detect secrets, analyze dependencies, generate SBOMs, enforce CI/CD gates, and fix vulnerabilities with AINA Intelligence.

Launch ZelCode View capabilities
SASTSource-code findings
SCADependency risk
SBOMRelease evidence
AINAGuided remediation
Zelfire Suite

Where ZelCode sits in the Zelfire product family.

ZelCode is the secure code and DevSecOps product inside the broader Zelfire cybersecurity suite, alongside testing, cloud, posture, access, XDR, SOAR, and zero-trust products.

Suite Core Zelfire

Unified cybersecurity products for testing, protection, detection, response, posture, access, cloud, and secure software delivery.

ZelTester
ZelWall
ZelCloud
ZelAccess
ZelScan
ZelRank
ZelDrift
ZelXDR
ZelSOAR
ZelPosture
ZelMap
ZelZero-Trust
ZelExploits
ZelKill
ZelCode
ZelCode anchors the secure software delivery layer: SAST, secrets, dependencies, SBOM, IaC, containers, APIs, AI application security, CI/CD gates, remediation, and evidence.
DevSecOps

Build, scan, fix, gate, prove.

DevSecOps embeds security into every stage of software delivery: planning, coding, pull requests, builds, CI/CD pipelines, releases, monitoring, evidence, and continuous improvement.

Traditional security often happens too late, after code is merged or production systems are exposed. DevSecOps changes that model by making security continuous, automated, measurable, and developer-friendly.

ZelCode makes DevSecOps operational inside the Zelfire Suite. It scans code, secrets, dependencies, SBOMs, infrastructure, containers, APIs, AI applications, pull requests, and pipelines, then uses AINA Intelligence to explain risk and guide remediation.

  • Is this code secure before merge?
  • Are there secrets in the repository?
  • Are dependencies vulnerable?
  • Will this release pass security gates?
  • Are APIs properly authenticated?
  • Do we have audit-ready evidence?
Shift LeftMove security earlier into design, coding, commits, pull requests, builds, SBOM generation, IaC checks, container scanning, API review, and AI security checks.
CI/CD SecurityScan every pull request, protected branch, build, artifact, and release candidate while generating SARIF, SBOMs, reports, logs, and release evidence.
Security GatesBlock or warn on new critical findings, active secrets, reachable KEV vulnerabilities, public infrastructure exposure, risky APIs, and high-risk AI features.
AINA IntelligenceExplain vulnerabilities, generate secure fixes, suggest tests, prioritize findings, recommend policies, summarize scans, and create executive-ready reports.
Plan
Design
Code
Commit
Pull Request
Build
Test
Scan
Gate
Release
Monitor
Improve
Earlier vulnerability detection
Fewer secrets in code
Stronger CI/CD gates
Proof-ready compliance evidence
Platform

Security coverage without the sprawl.

ZelCode organizes code security around the work engineers already do: commit, review, build, release, and prove.

01

SAST and dataflow

Trace vulnerabilities from input to sink with exact files, lines, exploit context, CWE, OWASP, and ASVS mapping.

02

Secret detection

Find credentials in source, ZIP uploads, repositories, and history, then produce rotation and incident evidence.

03

Dependencies and SBOM

Rank package risk by severity, reachability, exploitability, license, upgrade path, CycloneDX, and SPDX exports.

04

Cloud, IaC, and containers

Review Terraform, Kubernetes, Dockerfiles, images, identities, exposed services, and hardening gaps before release.

05

API and AI app security

Assess OpenAPI, GraphQL, auth controls, BOLA/IDOR exposure, prompt injection, RAG leakage, and agent tool risk.

06

AINA remediation

Generate explanations, safer code, tests, review notes, executive summaries, and remediation plans in one workflow.

ZelCode Capabilities

A complete catalog of platform capabilities across SAST, DevSecOps, supply chain, AI security, CI/CD gates, compliance, evidence, reporting, and operations.

  1. Source Code Vulnerability ScanningScans application source code for insecure patterns, risky functions, vulnerable logic, and exploitable weaknesses.
  2. SAST - Static Application Security TestingFinds vulnerabilities without running the application, including injection flaws, insecure coding patterns, unsafe deserialization, weak cryptography, and missing authorization.
  3. ZIP File Upload ScanningAllows users to upload a zipped source-code directory and scan it securely.
  4. Repository ScanningConnects to repositories and scans source code from GitHub, GitLab, Bitbucket, Azure DevOps, and other code platforms.
  5. Pull Request Security ReviewScans pull requests before merge and identifies new vulnerabilities introduced by code changes.
  6. Interactive Code Review ReportShows files on the left, source code in the center, and findings with fix guidance on the right.
  7. Click-to-Code Vulnerability NavigationClicking a finding jumps directly to the vulnerable code line or range.
  8. File-Level Risk ViewShows which files contain vulnerabilities, how many findings exist per file, and the highest severity per file.
  9. Line-Level EvidenceDisplays exact vulnerable lines, matched patterns, evidence snippets, and source-code context.
  10. Source-to-Sink DataflowShows how untrusted input flows through the application into dangerous sinks.
  11. CWE MappingMaps findings to Common Weakness Enumeration identifiers.
  12. OWASP Top 10 MappingMaps web application findings to OWASP Top 10 categories.
  13. OWASP API Top 10 MappingMaps API security findings to OWASP API Top 10 risks.
  14. OWASP LLM Top 10 MappingMaps AI and LLM application findings to OWASP LLM security categories.
  15. OWASP ASVS MappingMaps application security findings to ASVS-style controls.
  16. AINA Vulnerability ExplanationUses AINA Intelligence to explain what the vulnerability is, why it matters, and how it can affect the application.
  17. AINA Fix GuidanceGenerates clear remediation steps and secure coding recommendations.
  18. AINA Secure Code SuggestionsSuggests safer replacement code for vulnerable snippets.
  19. AINA Fix StudioProvides a remediation workspace with original code, fixed code, explanation, tests, confidence, and risk reduction.
  20. AI-Generated TestsGenerates suggested unit tests, regression tests, and security tests for remediated vulnerabilities.
  21. Fix PR WorkflowSupports workflows for creating or simulating fix pull requests based on AINA recommendations.
  22. Secret ScanningDetects API keys, tokens, private keys, passwords, cloud credentials, webhook secrets, and other sensitive values.
  23. Git History Secret DetectionCan identify secrets that were committed in the past, even if removed from the latest version.
  24. Secret Rotation TrackingTracks whether exposed secrets have been rotated, revoked, or accepted as risk.
  25. Secret Incident EvidenceGenerates evidence and incident records for exposed secrets.
  26. Dependency Security ScanningFinds vulnerable open-source packages and risky third-party dependencies.
  27. Transitive Dependency AnalysisIdentifies vulnerabilities inherited through indirect dependencies.
  28. Reachable Vulnerability AnalysisPrioritizes vulnerabilities that are actually reachable from application code.
  29. CVE IntelligenceTracks CVEs affecting dependencies, containers, packages, and components.
  30. CVSS PrioritizationRanks vulnerabilities by CVSS severity score.
  31. EPSS PrioritizationUses exploit probability scoring to prioritize vulnerabilities more intelligently.
  32. KEV PrioritizationHighlights known exploited vulnerabilities that require urgent attention.
  33. Dependency Upgrade GuidanceRecommends safe fixed versions and upgrade paths.
  34. License Risk AnalysisIdentifies risky, unknown, copyleft, or compliance-sensitive licenses.
  35. SBOM GenerationGenerates Software Bill of Materials for applications, releases, repositories, and scans.
  36. CycloneDX ExportExports SBOM data in CycloneDX format.
  37. SPDX ExportExports SBOM data in SPDX format.
  38. SBOM Component InventoryTracks packages, versions, suppliers, licenses, hashes, and provenance.
  39. SBOM Vulnerability MappingLinks SBOM components to known vulnerabilities and dependency risks.
  40. SBOM DiffingCompares two SBOM versions to show added, removed, changed, fixed, and newly vulnerable components.
  41. Supply Chain Risk AnalysisAnalyzes package health, provenance, supplier, license, vulnerability, and component integrity.
  42. Infrastructure-as-Code ScanningScans Terraform, OpenTofu, Kubernetes YAML, Helm, CloudFormation, IAM policies, Docker Compose, and CI/CD configuration files.
  43. Terraform Security AnalysisDetects public exposure, weak IAM, missing encryption, unsafe ingress, and risky cloud resources.
  44. Kubernetes Security AnalysisDetects privileged containers, hostPath volumes, root users, missing resource limits, missing network policies, and weak RBAC.
  45. Dockerfile Security AnalysisDetects unsafe base images, root users, secrets in environment variables, curl-pipe-to-shell patterns, and missing health checks.
  46. CI/CD Configuration SecurityScans GitHub Actions, GitLab CI, Azure Pipelines, Jenkinsfiles, Bitbucket Pipelines, and other workflow files.
  47. Cloud Exposure DetectionIdentifies public buckets, open security groups, public services, and exposed cloud resources.
  48. IAM Risk DetectionFinds wildcard permissions, overly permissive policies, risky trust relationships, and privilege escalation risks.
  49. Container Image SecurityScans container images for CVEs, risky packages, secrets, root users, privileged configurations, and hardening gaps.
  50. Base Image Risk AnalysisIdentifies outdated, vulnerable, unpinned, or risky base images.
  51. Container Layer AnalysisShows which layer introduced packages, vulnerabilities, or secrets.
  52. Runtime Hardening ReviewChecks runtime security settings such as privileged mode, root filesystem, capabilities, seccomp, AppArmor, host networking, and resource limits.
  53. Container SBOM IntegrationLinks container packages to SBOM components and vulnerability records.
  54. Image Signature and Provenance TrackingTracks whether container images are signed, verified, and provenance-supported.
  55. API Security ScanningAnalyzes REST APIs, OpenAPI specs, GraphQL schemas, endpoints, authentication, authorization, data exposure, and abuse controls.
  56. OpenAPI ImportImports OpenAPI or Swagger files and creates endpoint inventories.
  57. GraphQL Schema AnalysisReviews GraphQL schemas, resolvers, introspection risk, sensitive fields, and authorization gaps.
  58. Endpoint InventoryTracks API method, path, service, auth status, risk, findings, sensitive fields, and scan status.
  59. BOLA and IDOR DetectionFinds broken object-level authorization risks in APIs.
  60. Broken Function-Level Authorization DetectionFinds admin or privileged endpoints with weak or missing authorization.
  61. Mass Assignment DetectionFinds risky fields such as role, permissions, isAdmin, ownerId, and accountStatus.
  62. Sensitive Data Exposure DetectionFinds APIs returning PII, tokens, passwords, payment data, internal notes, or sensitive business data.
  63. JWT Security ReviewDetects weak token validation, unsafe JWT handling, and missing token controls.
  64. Rate Limit Gap DetectionFinds endpoints missing rate limiting or abuse protection.
  65. Webhook Security ReviewChecks webhook endpoints for missing signature validation and SSRF-style callback risks.
  66. AI Application SecurityAnalyzes LLM-powered applications, chatbots, agents, RAG systems, AI tools, prompt templates, and model providers.
  67. Prompt Injection DetectionFinds prompts, templates, and workflows vulnerable to malicious instruction override.
  68. System Prompt Exposure DetectionIdentifies system prompts stored in exposed files or returned to users.
  69. Insecure Output Handling DetectionFinds unsafe uses of LLM output, including output passed to HTML, SQL, shell, APIs, or authorization decisions.
  70. RAG Leakage AnalysisReviews RAG sources for tenant isolation, PII exposure, secrets exposure, weak access controls, and unsafe retrieval.
  71. AI Tool Permission ReviewIdentifies AI agents with excessive tool permissions, write access, database access, code execution, email sending, or deployment authority.
  72. Human Approval Gate ReviewDetects high-impact AI actions that lack required human approval.
  73. AI Guardrail CoverageTracks input filtering, output validation, PII redaction, RAG filtering, tool approval, rate limiting, and audit logging.
  74. AI Red-Team SimulationSupports safe simulation of AI security tests such as prompt injection, unsafe output, and data leakage scenarios.
  75. CI/CD Pipeline SecurityMonitors pipeline runs, security scans, gate decisions, artifacts, branches, and release readiness.
  76. Security Gate EnforcementBlocks or warns on risky merges, builds, deployments, or releases based on defined security policies.
  77. Branch-Specific Gate RulesApplies different gate policies to main, develop, release, feature, and production branches.
  78. Release Readiness ReviewChecks whether a release is safe based on findings, secrets, SBOM, gates, evidence, dependencies, containers, APIs, and AI risks.
  79. Pipeline Artifact TrackingTracks SARIF, JSON, CSV, SBOM, HTML, PDF-style reports, logs, and evidence packs.
  80. Pull Request Diff ReviewShows changed files, code diffs, inline findings, new risk, fixed risk, and AINA fix suggestions.
  81. New Versus Existing Finding TrackingDistinguishes newly introduced findings from existing baseline issues.
  82. PR Merge ReadinessShows whether a pull request is ready, blocked, pending review, missing evidence, or failing gates.
  83. Reviewer AssignmentAssigns security reviewers, developers, or owners to risky pull requests.
  84. AINA PR Fix SuggestionsGenerates patch-style recommendations and fix summaries for pull request findings.
  85. Security PoliciesDefines organization-wide policies for vulnerabilities, secrets, dependencies, infrastructure, containers, APIs, AI, CI/CD, evidence, and compliance.
  86. Policy-as-CodeSupports reusable security policies, rule conditions, enforcement modes, scopes, evidence requirements, and exceptions.
  87. Policy SimulatorAllows teams to test what a policy would block, warn, or allow before enforcing it.
  88. Exception WorkflowSupports risk acceptance, exception approval, business justification, expiration, and compensating controls.
  89. SLA ManagementTracks remediation SLAs for critical, high, medium, low, and informational findings.
  90. Security Rules ManagementManages built-in and custom detection rules for SAST, secrets, IaC, containers, APIs, AI, dependencies, and compliance.
  91. Rule PacksSupports rule packs for OWASP, CWE, AI Security, Kubernetes, Terraform, PHP, Python, JavaScript, API Security, Containers, and more.
  92. Custom Rule BuilderAllows teams to create custom SAST, secret, IaC, API, AI, Dockerfile, YAML, or pattern-based rules.
  93. Rule Testing SandboxLets users test custom rules against sample code without executing the code.
  94. False Positive TuningTracks noisy rules, false-positive rates, suppressions, and precision improvements.
  95. Findings ManagementCentralizes all findings with severity, status, owner, project, repository, SLA, CWE, OWASP, evidence, and fix guidance.
  96. Attack Path VisualizationShows how data, access, configuration, or attacker flow reaches a vulnerable sink or high-risk asset.
  97. Risk ScoringCalculates risk using severity, exploitability, reachability, exposure, business criticality, evidence, and remediation status.
  98. ZelScoreProvides a unified score for project, repository, release, or organization security posture.
  99. Dashboard AnalyticsShows charts, graphs, severity breakdowns, trends, heatmaps, remediation velocity, gate performance, and compliance readiness.
  100. Project Security DashboardShows project-specific risks, scans, findings, dependencies, secrets, policies, reports, evidence, and activity.
  101. Repository Security DashboardShows repository risk, branch risk, scan coverage, findings, secrets, dependency health, and provider status.
  102. Scan OrchestrationRuns and tracks scans across repositories, ZIP uploads, pull requests, branches, artifacts, containers, APIs, and AI features.
  103. New Scan WizardGuides users through target selection, source upload, scan module selection, policies, gates, and launch.
  104. Scan LogsDisplays scan execution logs, module status, artifacts, and timeline events.
  105. Scan Result ExportsExports scan data as CSV, JSON, SARIF, HTML, and other supported report formats.
  106. Evidence VaultStores and links scan evidence, PR evidence, gate decisions, reports, SBOMs, policy evaluations, remediation notes, and compliance artifacts.
  107. Evidence MappingMaps evidence to controls, frameworks, policies, findings, reports, projects, scans, and releases.
  108. Compliance MappingMaps findings, reports, policies, evidence, and controls to security and compliance frameworks.
  109. RCF Rocheston Cybersecurity Framework SupportSupports RCF controls, domains, evidence, gaps, reports, maturity scoring, and AINA guidance.
  110. OWASP Top 10 SupportMaps application security risks to OWASP Top 10 categories.
  111. OWASP API Top 10 SupportMaps API risks to OWASP API Top 10 categories.
  112. OWASP LLM Top 10 SupportMaps AI and LLM application risks to OWASP LLM Top 10 categories.
  113. NIST SSDF SupportMaps secure software development activities to NIST SSDF-style evidence.
  114. SOC 2 SupportSupports secure development, change management, evidence, and audit readiness workflows.
  115. ISO 27001 SupportSupports security controls, risk management, evidence, and governance mapping.
  116. PCI DSS SupportSupports payment-related secure development, vulnerability, dependency, evidence, and release controls.
  117. HIPAA SupportSupports health-data-related application security, evidence, and compliance workflows.
  118. GDPR SupportSupports personal-data exposure review, evidence, privacy-related findings, and data protection controls.
  119. SLSA SupportSupports supply-chain provenance, build integrity, artifact tracking, SBOM, and release evidence.
  120. CIS Benchmark SupportSupports infrastructure, container, Kubernetes, and configuration hardening evidence.
  121. RCF Evidence Pack GenerationGenerates proof-ready evidence packs for Rocheston Cybersecurity Framework controls.
  122. Compliance Gap AnalysisIdentifies failed controls, missing evidence, expired evidence, unmapped controls, and open remediation actions.
  123. Audit Readiness DashboardShows whether controls, evidence, reports, and approvals are ready for audit review.
  124. Executive Risk ReportsGenerates leadership-ready reports with risk posture, trends, top projects, ZelScore, gates, and recommendations.
  125. Developer Remediation ReportsGenerates developer-focused reports with vulnerable files, line numbers, CWE, OWASP, evidence, and fix guidance.
  126. Compliance ReportsGenerates framework-specific reports for controls, evidence, gaps, remediation, and audit readiness.
  127. Customer Security ReportsGenerates customer-safe security summaries for trust reviews.
  128. Release Readiness ReportsGenerates go/no-go release reports based on scans, gates, findings, evidence, and AINA recommendations.
  129. Secret Exposure ReportsGenerates reports for exposed credentials, impact, rotation status, and evidence.
  130. Dependency Risk ReportsGenerates SCA reports with CVEs, CVSS, EPSS, KEV, reachability, license, and upgrade guidance.
  131. Infrastructure Security ReportsGenerates IaC and cloud misconfiguration reports.
  132. Container Security ReportsGenerates image CVE, hardening, SBOM, and runtime security reports.
  133. API Security ReportsGenerates endpoint, OWASP API Top 10, auth coverage, and sensitive data exposure reports.
  134. AI Security ReportsGenerates OWASP LLM Top 10, prompt, RAG, tool, guardrail, and model-risk reports.
  135. SARIF ExportExports findings in SARIF-style format for code scanning workflows.
  136. CSV ExportExports tables and report data in CSV format.
  137. JSON ExportExports structured scan, finding, report, SBOM, and evidence data.
  138. Printable HTML ReportsGenerates polished printable reports that can be saved as PDFs.
  139. Integration ManagementConnects to code repositories, CI/CD platforms, ticketing systems, cloud providers, identity providers, notification channels, SIEM/SOC platforms, AI providers, and evidence systems.
  140. GitHub IntegrationSupports repository, pull request, workflow, issue, and security workflow integration.
  141. GitLab IntegrationSupports repository, merge request, CI/CD, and issue workflow integration.
  142. Bitbucket IntegrationSupports source control and pull request workflows.
  143. Azure DevOps IntegrationSupports repositories, pipelines, and work items.
  144. Jenkins IntegrationSupports CI/CD pipeline status, artifacts, and gate workflows.
  145. Jira IntegrationSupports ticket creation, remediation tracking, and finding-to-ticket mapping.
  146. Slack and Teams NotificationsSends alerts for critical findings, secrets, blocked pipelines, overdue SLAs, reports, and evidence actions.
  147. SIEM/SOC IntegrationSupports sending events, findings, gate failures, and audit activity to SIEM or SOC platforms.
  148. Identity IntegrationSupports SSO, role mapping, SAML, SCIM, and identity provider integration concepts.
  149. AI Provider IntegrationSupports AINA and OpenAI-compatible AI provider settings for generated explanations, fixes, reports, and queries.
  150. Activity LogTracks user actions, scans, findings, policy changes, reports, evidence uploads, gate decisions, and integration events.
  151. Notification DrawerShows alerts, activity, tasks, overdue items, critical findings, failed gates, AINA recommendations, and integration warnings.
  152. Global SearchSearches projects, repositories, scans, findings, reports, settings, policies, controls, evidence, integrations, and tools.
  153. Multi-Tenant Data IsolationEnsures users only see data belonging to their tenant unless they have authorized global access.
  154. Role-Based Access ControlSupports roles such as Super Admin, Tenant Admin, Security Lead, Developer, Auditor, and Viewer.
  155. Two-Factor Authentication SupportSupports 2FA settings and account security workflows.
  156. User ProfilesSupports user profile management, notification preferences, avatars, and account settings.
  157. DevSecOps Process GuideProvides an interactive DevSecOps page with infinity loop, shift-left guidance, CI/CD security blueprint, gates, evidence flow, AINA remediation loop, maturity model, playbooks, and checklist.
  158. DevSecOps Maturity ScoringMeasures maturity across code security, CI/CD gates, evidence automation, compliance mapping, AINA remediation, and developer adoption.
  159. DevSecOps PlaybooksIncludes playbooks for secure pull request review, release readiness, secret response, dependency response, IaC exposure, container hardening, API authorization, AI security, RCF evidence, and incident readiness.
  160. ZelC TerminalProvides a defensive query and automation console where users can run simulated DevSecOps workflows and generate queries with AINA.
  161. ZelC Query TemplatesIncludes templates for SAST, secrets, dependencies, SBOM, IaC, containers, APIs, AI, pipelines, PRs, gates, policies, rules, compliance, RCF, evidence, reports, and ransomware prevention readiness.
  162. Defensive Ransomware Prevention ReadinessSupports simulation-only checks for backups, immutable recovery evidence, privileged access, exposed services, reachable KEV vulnerabilities, logging evidence, segmentation risk, incident ownership, and recovery readiness.
  163. Safe Simulation ModeAllows users to simulate queries, policies, scans, and workflows without executing dangerous commands or destructive actions.
  164. AINA Executive SummariesGenerates leadership-friendly summaries of risk, remediation, release readiness, and compliance posture.
  165. AINA Developer SummariesGenerates developer-focused explanations, fixes, test ideas, and remediation steps.
  166. AINA Compliance GuidanceExplains control gaps, missing evidence, recommended reports, and framework-specific remediation steps.
  167. AINA Policy RecommendationsSuggests policies, gate rules, enforcement modes, exceptions, and evidence requirements.
  168. AINA Rule RecommendationsSuggests custom rules, false-positive tuning, detection improvements, and secure examples.
  169. AINA Report GenerationCreates executive, developer, customer, release, compliance, and audit-style summaries.
  170. AINA DevSecOps PlanGenerates a 30/60/90-day secure CI/CD improvement plan.
  171. Beautiful DashboardsUses cards, charts, graphs, diagrams, progress rings, heatmaps, timelines, tables, and animated UI elements.
  172. Gruvbox Dark InterfaceUses a polished dark theme with earthy high-contrast colors and Fira Sans typography.
  173. Secure File StorageStores uploaded files, generated reports, and sensitive artifacts outside the public web directory.
  174. Authenticated DownloadsServes reports, evidence, artifacts, and exports only through authenticated routes.
  175. Audit TrailTracks who did what, when, why, and against which project, finding, report, policy, or evidence item.
  176. Proof-Ready Security OperationsTurns scans, fixes, policies, gates, reports, and evidence into a defensible security record.
  177. Secure Software Delivery SupportHelps teams build, scan, fix, gate, release, monitor, and prove secure software.
  178. Developer-Friendly RemediationExplains issues clearly, avoids vague scanner output, and gives practical fix guidance.
  179. Security-Team Command CenterGives AppSec and DevSecOps teams centralized control over code risk, security gates, policies, findings, and evidence.
  180. Executive VisibilityShows risk trends, security posture, ZelScore, compliance readiness, release readiness, and remediation progress.
Workflow

From finding to fix to gate.

ZelCode is designed for repeatable DevSecOps operation, not one-off reports. Every issue can move through triage, remediation, validation, release gating, and audit evidence.

Connect codeUpload a ZIP, connect repositories, or scan pull requests and pipeline artifacts.
Prioritize what mattersUse severity, exploitability, reachability, secrets, compliance, and business context.
Fix with AINAReview generated guidance, patch examples, tests, and secure coding notes.
Enforce release gatesBlock critical findings, active secrets, missing SBOMs, and unresolved policy violations.
Evidence

Built for teams that need proof.

Export the artifacts developers, security leaders, auditors, and customers expect after a secure release process.

SARIFCode scanning interoperability
PDFExecutive and audit reports
JSONAutomation-friendly findings
SBOMCycloneDX and SPDX exports
Screenshots

ZelCode screenshots.

Explore ZelCode interface screenshots in a bordered gallery. Select any image to zoom in for a closer view.

FAQ

ZelCode FAQ.

Detailed answers for SAST, DevSecOps, AINA Intelligence, repository scanning, CI/CD gates, reports, evidence, compliance, and secure software delivery.

1. What is ZelCode?

ZelCode is Rocheston's SAST and DevSecOps Code Security Platform. It scans source code, repositories, uploaded ZIP files, dependencies, secrets, infrastructure-as-code, containers, APIs, AI applications, and CI/CD workflows for vulnerabilities and insecure patterns. ZelCode is part of the Zelfire Suite and is powered by AINA Intelligence.

2. What does ZelCode do?

ZelCode helps engineering and security teams find, understand, prioritize, fix, verify, and prove code security issues. It detects vulnerabilities, secret leaks, risky dependencies, SBOM gaps, infrastructure misconfigurations, container risks, API weaknesses, AI application security issues, and CI/CD gate failures.

3. Where can I launch ZelCode?

ZelCode can be launched at https://zelcode.rocheston.com.

4. Is ZelCode part of the Zelfire Suite?

Yes. ZelCode is part of the Zelfire Suite. It acts as the secure code, SAST, DevSecOps, remediation, CI/CD gate, and proof-ready reporting platform inside the Zelfire cybersecurity ecosystem.

5. What is AINA Intelligence in ZelCode?

AINA Intelligence is the AI layer inside ZelCode. It explains vulnerabilities, summarizes scans, generates fix guidance, suggests secure code, creates remediation plans, drafts reports, recommends policies, and helps developers and security teams understand risk faster.

6. What is SAST in ZelCode?

SAST stands for Static Application Security Testing. In ZelCode, SAST means scanning source code without running the application to detect insecure patterns, vulnerable code, hardcoded secrets, unsafe functions, missing authorization, weak cryptography, injection flaws, and other software security issues.

7. What kinds of vulnerabilities can ZelCode detect?

ZelCode can detect SQL injection, command injection, cross-site scripting, insecure deserialization, path traversal, SSRF, insecure file uploads, missing authorization, weak authentication, insecure CORS, hardcoded secrets, exposed API keys, private keys, weak hashing, unsafe eval usage, insecure JWT handling, dependency vulnerabilities, IaC misconfigurations, container risks, API weaknesses, and AI security issues.

8. Can users upload a ZIP file for scanning?

Yes. ZelCode supports ZIP upload scanning. Users can upload a zipped source-code directory, and ZelCode can scan the files for vulnerabilities, insecure patterns, hardcoded secrets, risky configuration, and other security issues. Uploaded code should be scanned safely and should not be executed.

9. Can ZelCode scan a full project directory?

Yes. ZelCode is designed to scan uploaded source directories, ZIP files, and connected repositories. It can analyze project structure, source files, dependencies, configuration files, Dockerfiles, infrastructure files, API specs, and CI/CD workflows.

10. Can ZelCode connect to GitHub repositories?

Yes. ZelCode can connect to GitHub repositories to scan branches, commits, pull requests, and full repositories. It can show repository risk, open findings, secret status, dependency health, scan history, and CI/CD integration status.

11. Does ZelCode support GitLab, Bitbucket, and Azure DevOps?

Yes. ZelCode is designed to support GitLab, Bitbucket, Azure DevOps, and other source control providers. These integrations help teams scan repositories, review pull requests, enforce security gates, and generate reports from connected development workflows.

12. Does ZelCode show the exact vulnerable code?

Yes. ZelCode can show the vulnerable file, line number, code snippet, matched pattern, evidence, source-to-sink flow, and remediation guidance. In the interactive SAST Code Review Report, users can click a finding and jump directly to the affected code line.

13. What is the SAST Code Review Report?

The SAST Code Review Report is ZelCode's interactive source-level vulnerability report. It includes a file explorer, syntax-highlighted code viewer, line numbers, highlighted vulnerable lines, gutter markers, findings panel, evidence, CWE mapping, OWASP mapping, AINA explanation, and secure fix guidance.

14. Can ZelCode explain how to fix a vulnerability?

Yes. ZelCode uses AINA Intelligence to explain what is wrong, why it is dangerous, how it could be exploited, what business impact it may create, and how to fix it securely. AINA can provide safe code examples, remediation steps, and suggested tests.

15. Can AINA generate secure code fixes?

Yes. AINA can generate secure fix suggestions, safer replacement code, patch-style recommendations, test ideas, pull request descriptions, and developer-friendly remediation guidance.

16. What is AINA Fix Studio?

AINA Fix Studio is ZelCode's AI-powered remediation workspace. It shows vulnerable code, AINA's suggested fix, explanation, generated tests, confidence score, estimated risk reduction, reviewer notes, and actions such as copying a fix, creating a ticket, or preparing a fix pull request.

17. Does ZelCode scan for secrets?

Yes. ZelCode includes secret scanning for API keys, cloud credentials, database passwords, private keys, OAuth tokens, GitHub tokens, JWT secrets, webhook secrets, environment files, and other sensitive values.

18. Can ZelCode scan Git history for secrets?

Yes. ZelCode is designed to support secret discovery in current files, branches, pull requests, and Git history. This helps identify credentials that may have been committed in the past even if they were later removed.

19. Does ZelCode help with secret rotation?

Yes. ZelCode can help teams detect exposed secrets, mark them as rotated, generate incident evidence, create tickets, and document remediation activity.

20. Does ZelCode support dependency scanning?

Yes. ZelCode includes dependency and software composition analysis. It can identify vulnerable packages, transitive dependency risks, outdated packages, reachable vulnerabilities, KEV-listed vulnerabilities, license risks, upgrade paths, and AINA-generated remediation guidance.

21. What is SBOM support in ZelCode?

ZelCode supports Software Bill of Materials workflows. It can generate and manage SBOM inventories, component metadata, package versions, supplier details, licenses, vulnerabilities, provenance, dependency relationships, and exports such as CycloneDX, SPDX, CSV, JSON, and printable reports.

22. Does ZelCode scan infrastructure-as-code?

Yes. ZelCode can scan Terraform, OpenTofu, Kubernetes YAML, Helm charts, Dockerfiles, Docker Compose, CloudFormation, GitHub Actions, GitLab CI, Azure Pipelines, Jenkinsfiles, IAM policies, and cloud policy files.

23. What infrastructure risks can ZelCode detect?

ZelCode can detect public cloud exposure, unrestricted security groups, public S3-style bucket risks, wildcard IAM policies, unencrypted databases, missing logging, privileged Kubernetes containers, hostPath mounts, missing resource limits, insecure CI/CD configuration, and secrets in infrastructure files.

24. Does ZelCode scan containers?

Yes. ZelCode includes container security analysis for image CVEs, base image risk, OS packages, application packages, root containers, privileged containers, exposed secrets, missing SBOMs, unsigned images, missing provenance, Dockerfile risks, runtime hardening issues, and Kubernetes security context problems.

25. Does ZelCode support API security?

Yes. ZelCode supports API security analysis for REST APIs, OpenAPI specifications, GraphQL schemas, endpoint inventory, authentication coverage, BOLA and IDOR risks, broken function-level authorization, mass assignment, sensitive data exposure, insecure JWT usage, missing rate limits, webhook signature issues, and OWASP API Top 10 mapping.

26. Can ZelCode import OpenAPI files?

Yes. ZelCode can import OpenAPI or Swagger files to discover endpoints, review authentication requirements, identify sensitive fields, detect missing security schemes, analyze schema risks, and map findings to API security controls.

27. Can ZelCode analyze GraphQL APIs?

Yes. ZelCode can analyze GraphQL schemas, operations, resolvers, introspection exposure, sensitive fields, resolver authorization gaps, excessive query risks, and GraphQL-related API security issues.

28. Does ZelCode support AI and LLM application security?

Yes. ZelCode includes AI security analysis for LLM-powered applications, chatbots, agents, RAG systems, AI tools, prompt templates, model providers, guardrails, prompt injection risk, insecure output handling, system prompt exposure, sensitive data leakage, excessive tool permissions, missing human approval, and RAG tenant leakage.

29. Can ZelCode scan chatbots and AI assistants?

Yes. ZelCode can assess chatbot and AI assistant security by reviewing prompt templates, system prompts, tool permissions, RAG data sources, sensitive data exposure, unsafe output handling, missing guardrails, model/provider settings, and approval controls for high-impact agent actions.

30. What chatbot risks can ZelCode detect?

ZelCode can help identify prompt injection, system prompt leakage, sensitive data disclosure, unsafe rendering of model output, excessive tool access, RAG data leakage, weak tenant isolation, missing output validation, overreliance on AI decisions, insecure plugin design, missing human approval, and weak audit logging.

31. Does ZelCode help secure RAG applications?

Yes. ZelCode can evaluate retrieval-augmented generation systems for tenant isolation, access control, PII exposure, secrets exposure, retrieval filtering, unsafe document instructions, untrusted retrieved content, shared vector store risks, and evidence of guardrail coverage.

32. What is ZelC Terminal?

ZelC Terminal is ZelCode's defensive DevSecOps query and automation console. Users can write ZelC queries, select templates, ask AINA to generate queries, run simulations, view results, export outputs, generate evidence, and automate security workflows across ZelCode modules.

33. Can AINA generate ZelC queries?

Yes. AINA can generate ZelC queries from natural-language instructions. For example, users can ask AINA to create a query for release readiness, RCF evidence gaps, critical findings, active secrets, AI tool risks, ransomware prevention readiness, or compliance reporting.

34. What does ransomware containment mean in ZelCode?

In ZelCode, ransomware containment means defensive ransomware prevention, hardening, detection readiness, backup validation, least-privilege review, segmentation review, incident ownership, evidence collection, recovery readiness, and simulation-only response planning. It does not mean generating ransomware, malware, destructive code, encryption payloads, evasion logic, credential theft, or offensive tooling.

35. Does ZelCode execute dangerous commands?

No. ZelCode is designed for defensive code security and DevSecOps workflows. Uploaded code is scanned, not executed. ZelC Terminal executions are simulated or safely mapped to existing ZelCode data. ZelCode should not run destructive actions, execute malware, run arbitrary OS shell commands, or perform offensive activity.

36. How does ZelCode work with CI/CD pipelines?

ZelCode integrates with CI/CD workflows to scan code during pull requests, builds, deployments, and release checks. It can enforce security gates, generate SARIF, create SBOMs, produce reports, block risky releases, track artifacts, and store gate decisions as evidence.

37. What are Security Gates in ZelCode?

Security Gates are policy-driven checks that determine whether a pull request, pipeline, or release should pass, warn, fail, or be blocked. Gates can block new critical findings, active secrets, reachable KEV vulnerabilities, public IaC exposure, critical container CVEs, unauthenticated admin APIs, and high-risk AI security issues.

38. Does ZelCode support pull request security review?

Yes. ZelCode supports secure pull request review with changed-file scanning, new-versus-existing finding tracking, inline vulnerability annotations, reviewer assignment, gate decisions, AINA fix suggestions, merge readiness checks, and PR security evidence.

39. Can ZelCode show new versus existing findings in a pull request?

Yes. ZelCode can distinguish new findings introduced by a pull request from existing baseline findings, fixed findings, reopened findings, false positives, and accepted risks. This helps teams focus gates on new risk instead of blocking every old issue.

40. Can ZelCode generate proof-ready reports?

Yes. ZelCode can generate proof-ready reports for executives, developers, auditors, customers, compliance teams, release readiness, SBOM review, secret exposure, dependency risk, infrastructure security, container security, API security, AI security, CI/CD gates, pull requests, and evidence packs.

41. What export formats does ZelCode support?

ZelCode supports export formats such as printable HTML, CSV, JSON, SARIF, CycloneDX, SPDX, and PDF-style reports. These exports support developer remediation, code scanning integrations, SBOM review, compliance evidence, audit readiness, and customer security reviews.

42. Does ZelCode support compliance mapping?

Yes. ZelCode maps findings, policies, evidence, reports, and controls to security and compliance frameworks such as RCF Rocheston Cybersecurity Framework, OWASP Top 10, OWASP API Top 10, OWASP ASVS, OWASP LLM Top 10, CWE Top 25, NIST SSDF, SOC 2, ISO 27001, PCI DSS, HIPAA, GDPR, SLSA, CIS Benchmarks, and NIST CSF.

43. What is RCF in ZelCode?

RCF stands for Rocheston Cybersecurity Framework. In ZelCode, RCF can be used as a first-class framework for secure software development, code security, secret protection, dependency and supply-chain security, cloud and container security, API and AI security, CI/CD governance, evidence readiness, remediation, and audit preparation.

44. Does ZelCode have an Evidence Vault?

Yes. ZelCode includes Evidence Vault capabilities for storing and linking proof such as scan results, PR reviews, gate decisions, SBOMs, reports, remediation notes, policy evaluations, risk acceptances, AINA recommendations, and compliance artifacts.

45. What is the DevSecOps page in ZelCode?

The DevSecOps page is an interactive process guide that teaches users how to follow secure CI/CD practices. It explains the DevSecOps infinity loop, shift-left security, CI/CD security blueprint, security gates, evidence automation, AINA remediation, maturity model, playbooks, checklists, KPIs, and release readiness process.

46. Is ZelCode multi-tenant?

Yes. ZelCode is designed as a multi-tenant SaaS-style application. Tenant data such as users, projects, repositories, scans, findings, reports, settings, activity logs, evidence, and integrations should be isolated so standard users only see data for their own tenant.

47. What user roles does ZelCode support?

ZelCode can support roles such as Super Admin, Tenant Admin, Security Lead, Developer, Auditor, and Viewer. Role-based access controls help determine who can create scans, manage policies, approve exceptions, view reports, upload evidence, configure integrations, and administer users.

48. Who uses ZelCode?

ZelCode is designed for developers, AppSec teams, DevSecOps engineers, security leads, platform engineers, compliance teams, auditors, CISOs, and engineering leaders who need to build, scan, fix, gate, release, and prove secure software.

49. How does ZelCode help developers?

ZelCode helps developers by showing exact vulnerable code locations, explaining issues clearly, generating secure fixes, suggesting tests, annotating pull requests, reducing false positives, prioritizing real risk, and helping teams fix vulnerabilities before they reach production.

50. How does ZelCode help security teams?

ZelCode helps security teams centralize code risk, prioritize vulnerabilities, enforce policies, track remediation, review evidence, map controls, monitor DevSecOps coverage, manage security gates, and generate proof-ready reports for leadership and auditors.

51. How does ZelCode help compliance teams?

ZelCode helps compliance teams by linking security controls to evidence such as scans, reports, pull request reviews, security gate decisions, SBOMs, policy evaluations, remediation records, and AINA summaries. This supports audit readiness and proof-based security governance.

52. Does ZelCode replace developer tools?

No. ZelCode does not need to replace developer tools. It connects to repositories, CI/CD systems, reports, and security workflows to add code security, AI remediation, policy enforcement, evidence, and compliance visibility across the secure software delivery lifecycle.

53. What makes ZelCode different from a basic code scanner?

ZelCode goes beyond basic scanning by combining SAST, secret scanning, dependencies, SBOM, IaC, containers, APIs, AI security, CI/CD gates, pull request review, AINA fix guidance, ZelC Terminal, policy-as-code, evidence, reports, RCF mapping, and DevSecOps process guidance in one platform.

54. Why should organizations use ZelCode?

Organizations should use ZelCode to reduce software security risk, catch vulnerabilities earlier, prevent secrets from reaching production, prioritize exploitable risks, secure CI/CD pipelines, generate SBOMs, support compliance, improve developer remediation, and produce proof-ready reports for leadership, auditors, and customers.

55. What is the main goal of ZelCode?

The main goal of ZelCode is to help teams build secure software continuously. It enables teams to scan code, detect risks, fix vulnerabilities, enforce DevSecOps gates, collect evidence, map compliance, and prove that software security controls are working.

Open the security cockpit.

Launch ZelCode to scan code, fix high-risk findings, and generate proof-ready DevSecOps evidence.

Launch ZelCode