Integrations Overview & Coverage Matrix
Pixee integrations fall into two categories. Scanning Tools are the SAST, SCA, IAST, and aggregation platforms that produce findings — Pixee triages each finding and generates fixes. Source Control platforms are where Pixee delivers those fixes as pull requests or merge requests. Pixee does not replace your scanners or your SCM; it sits downstream of detection and inside your existing review workflow.
One triage-and-remediation pipeline spans every scanner in your stack, regardless of vendor. Pixee adds the resolution layer; the rest of your stack stays as it is.
Source Control Coverage
Pixee delivers remediation as pull requests (or merge requests) on the four major development platforms. All four support cloud and self-hosted/on-premises deployments via Pixee Enterprise Server.
| Platform | PR/MR Delivery | Authentication | Setup Guide |
|---|---|---|---|
| GitHub | Native pull requests | GitHub App | Get started |
| GitLab | Native merge requests | Personal access token | Get started |
| Azure DevOps | Native pull requests | PAT + webhooks | Get started |
| Bitbucket | Native pull requests | API token | Get started |
Scanner Coverage Matrix
Pixee provides a growing list of named scanner integrations plus universal SARIF support for any other tool. Every scanner's findings flow through the same triage and remediation pipeline; the only difference is the depth of metadata extraction.
| Scanner | Integration Tier | Finding Types | Triage | Remediation | Input Method |
|---|---|---|---|---|---|
| CodeQL | Deep | SAST | Yes | Yes | GHAS API / SARIF |
| Semgrep | Deep | SAST | Yes | Yes | SARIF |
| Checkmarx | Deep | SAST | Yes | Yes | SARIF |
| Veracode | Native | SAST | Yes | Yes | SARIF |
| Snyk Code | Native | SAST | Yes | Yes | SARIF |
| SonarQube / SonarCloud | Native | SAST | Yes | Yes | SARIF |
| HCL AppScan | Native | SAST | Yes | Yes | SARIF |
| Polaris / Black Duck (Coverity) | Native | SAST | Yes | Yes | SARIF |
| Fortify | Native | SAST | Yes | Yes | SARIF |
| Contrast Security | Native | IAST | Yes | Yes | SARIF |
| GitLab SAST | Native | SAST | Yes | Yes | GitLab API |
| GitLab SCA (Dependency Scanning) | Native | SCA | Yes | Yes | GitLab API |
| Trivy | Native | SAST, SCA, IaC | Yes | Yes | SARIF |
| Arnica | Native | SAST | Yes | Yes | SARIF |
| Datadog SAST | Native | SAST | Yes | Yes | SARIF |
| DefectDojo | Aggregator | Aggregated | Yes | Yes | SARIF |
| Any SARIF-producing scanner | Universal | Varies | Yes | Yes | SARIF |
Integration tiers explained:
- Deep: Dedicated handler with scanner-specific metadata extraction. Extracts dataflow paths, rule descriptions, and scanner-specific context for higher triage accuracy.
- Native: Recognized scanner with tool identification and standard SARIF processing. Findings are fully triaged and remediated through the standard pipeline.
- Aggregator: Vulnerability management platforms that consolidate findings from many scanners. Pixee adds triage and remediation on top.
- Universal SARIF: Any tool that produces SARIF output works automatically. No pre-built integration required.
All tiers feed into the same downstream triage and remediation pipeline. Deep integrations provide richer context; universal SARIF ensures no scanner is locked out.
How Scanner Integration Works
Pixee's scanner integration follows a two-tier architecture that balances depth with breadth.
Tier 1 — Native Handlers. For the most widely deployed scanners, Pixee has dedicated handlers that extract scanner-specific metadata. Each handler understands the idiosyncrasies of that tool's SARIF output — where rule descriptions live, whether dataflow traces (codeFlows) are available, and what metadata the scanner includes or omits. Better metadata extraction means higher triage accuracy.
Tier 2 — Universal SARIF. For any scanner that produces SARIF (the OASIS standard for static analysis results), Pixee's universal SARIF engine ingests findings automatically. No pre-built integration required. The system dynamically adapts its handling strategy based on whatever metadata the SARIF contains.
Both tiers feed into the same downstream pipeline:
Scanner runs > SARIF output > Pixee ingests > Triage pipeline > TP / FP / WONT_FIX > Remediation PRs
The result: one triage and remediation pipeline across every scanner in your stack, from CodeQL to your internal proprietary scanner — all through the same workflow.
Why SARIF matters. SARIF (Static Analysis Results Interchange Format) is the OASIS open standard for static analysis results. Pixee supports the current SARIF standard. Most modern SAST, SCA, and secret-scanning tools produce SARIF output natively or via converters. By standardizing on SARIF as the ingestion format, Pixee ensures that any scanner — commercial, open source, or proprietary — can feed into the triage and remediation pipeline without custom integration work.
What this means in practice:
- Internal or proprietary scanners that output SARIF work on day one
- New commercial scanners are supported immediately if they produce SARIF
- You are never locked to a specific tool list
- Adding or removing a scanner from your stack does not require any Pixee configuration changes