Integrate CredScan with Vulnetix. CredScan is available via the Microsoft Security DevOps (MSDO) GitHub Action, which produces SARIF output for upload to Vulnetix.
Run CredScan in CI
Scan on every push and upload the results to Vulnetix:
- uses: actions/checkout@v4
- name: Run MSDO (includes CredScan)
uses: microsoft/security-devops-action@v1
id: msdo
with:
categories: 'code,secrets'
- name: Upload to Vulnetix
run: vulnetix upload --file ${{ steps.msdo.outputs.sarifFile }}
How Vulnetix compares — better together
Vulnetix does not replace CredScan. Keep running it. Vulnetix sits on top of CredScan — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.
CredScan is strongest at its core category and also carries features in SAST, IaC & Cloud Configuration, Container & Image Scanning, SCA, Cloud Security & CSPM — just like Vulnetix spans categories.
| Capability | Vulnetix | CredScan |
|---|---|---|
| Security coverage | ||
| SAST (static code analysis) | ✓ Built-in rules + Semgrep augmentation | ~ MSDO bundles Bandit, ESLint, BinSkim static analyzers |
| SCA / dependencies | ✓ 40+ ecosystems, transitive graph | ~ Trivy + open-source dependency vulnerability findings surfaced in Defender for Cloud |
| DAST (dynamic testing) | ~ Ingests DAST results; no native dynamic engine | ✗ |
| Container & image | ✓ Image CVEs, base image, Dockerfile | ~ MSDO bundles Trivy for container image scanning |
| IaC / misconfiguration | ✓ Terraform, k8s, CloudFormation | ~ MSDO bundles Checkov, Terrascan, Template Analyzer for IaC misconfig |
| Secret scanning | ✓ 1,000+ rules, source + binary + git history | ✓ CredScan core; deprecated in the Azure DevOps MSDO extension (Sep 2023, now emits a warning) in favour of GitHub Advanced Security secret scanning |
| Cloud / CSPM | ✓ Cloud-posture findings, compliance tab | ~ Defender for Cloud provides CSPM/posture and code-to-cloud correlation surrounding MSDO |
| Mobile (MAST) | ~ Ingests mobile scanner output; no native mobile engine | ✗ |
| License compliance | ✓ SPDX, copyleft/AGPL/SSPL policy | ✗ |
| SBOM generation | ✓ CycloneDX 1.7 + SPDX 2.3, cosign-signable | ✗ |
| Malware / supply-chain | ✓ De-duplicated corpus + install-time firewall (25+ registries) | ✗ |
| Network / infra vuln | ~ Ingests network scanner output; no native network scanner | ✗ |
| Fuzzing | ✗ Ingests fuzzing crashes; no native fuzzer | ✗ |
| Pentest / bug bounty | ✗ Ingests pentest/bug-bounty findings; not a testing service | ✗ |
| The Vulnetix orchestration layer | ||
| Cross-scanner dedup & one queue (ASPM) | ✓ Correlates every scanner into one prioritised queue with ownership routing | ~ SARIF normalized for reporting; Defender correlates code findings with cloud context for prioritisation |
| Exploit-intel prioritisation | ✓ EPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV | ✗ |
| Reachability analysis | ✓ Tree-sitter + CVEAffected; direct/transitive/semantic | ✗ |
| Versioned VEX + audit trail | ✓ Immutable OpenVEX/CycloneDX, cosign-signable | ✗ |
| Safe Harbour autofix | ✓ Resolves + applies the nearest safe version | ✗ |
| End-of-life policy | ✓ Flags/blocks past-EOL runtimes & packages | ✗ |
| SSVC / risk-based policy | ✓ SSVC v2 + CISA/FedRAMP/Essential-8 presets | ✗ |
✓ full · ~ partial · ✗ not covered
What CredScan does well
- CredScan is Microsoft's mature, internally-hardened credential scanner detecting hardcoded passwords, API keys, connection strings and certificates across source and config
- Ships inside Microsoft Security DevOps (MSDO), which bundles and auto-updates a suite of OSS scanners: Bandit/ESLint/BinSkim (code), Checkov/Terrascan/Template Analyzer (IaC), and Trivy (container + dependency)
- Normalises all tool output to SARIF for unified reporting and CI build-break gating across secrets, code, IaC and containers
- Defender for Cloud DevOps security correlates code findings with cloud posture (code-to-cloud), adds PR annotations and severity grouping across Azure DevOps, GitHub and GitLab
Where Vulnetix adds to it: Both aggregate multiple scanners, but Vulnetix is scanner- and cloud-agnostic (25+ registries, 40+ SCA ecosystems, any CI) rather than Azure/Defender-centric. On top of the merged queue Vulnetix layers exploit-intel scoring (EPSS, CISA KEV, Coalition ESS, CWSS, LEV), reachability, immutable versioned VEX + audit, SSVC and Safe Harbour autofix PRs — going beyond MSDO's SARIF reporting and PR annotations.
No migration, no rip-and-replace. CredScan keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.
Centralise CredScan results in Vulnetix
Upload CredScan SARIF, JSON output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.