Security tooling and processes

This page contains information on tools and processes we run within the Security team.

If you want to document sensitive information, you can either:


Terraform Cloud

We use Terraform Cloud to manage the deployment of cloud infrastructure across Sourcegraph. You can find more information on using the platform here.

Notifications for changes to Terraform in folders of interest to the Security team go to #security-terraform. The configuration of notification settings can be found in infrastructure/terraform-cloud.

SAST scanning

We use a combination of tools within the team to cover a number of different types of vulnerability.

  • We use Checkov to scan our Terraform infrastructure.
  • We use Trivy to scan containers for issues with dependencies.
  • We use SonarCloud to scan our code in sourcegraph/sourcegraph for vulnerabilities


We use Entitle as our permission management system.