Prerequisites for Source Code Review

Last updated: July 10, 2026

Overview

A source code review allows Astra's security team to analyze your application's source code to identify security vulnerabilities, insecure coding practices, and potential risks that may not be detectable through dynamic testing alone.

Before the review begins, you'll need to provide Astra with access to your application's source code. There are two supported methods to do this, with directly sharing the source code being the recommended approach.

Prerequisites

Before the source code review starts, ensure that:

  • Your application's source code is complete and ready for review.

  • You choose one of the supported methods to provide Astra access to the source code.

  • Your assigned Customer Success Manager (CSM) or the Astra Security team is informed once the required access has been provided.

Option 1: Share the Source Code (Recommended)

This is the simplest, fastest, and recommended method for initiating a source code review.

Option A: Share a Password-Protected ZIP File

  1. Compress your application's source code into a ZIP archive.

  2. Protect the ZIP file with a password.

  3. Share the ZIP file with your assigned Customer Success Manager (CSM) or the Astra Security team.

  4. Share the ZIP password securely with the same point of contact through a separate communication channel.

Note: Sharing the password separately helps ensure the source code is transferred securely.

Option B: Provide Git Repository Access

Instead of sharing a ZIP file, you can provide Astra with access to your Git repository.

Supported repositories include:

  • GitHub

  • GitLab

  • Bitbucket

  • Other Git-based repositories (where applicable)

Once access is granted, Astra will securely clone or download the repository and begin the source code review.

Tip: Providing repository access makes it easier to review the latest version of your code and simplifies collaboration if updates are required during the engagement.

Option 2: Provide Access to a Machine

If you're unable to share the source code directly, you can provide Astra with access to a machine where the source code is already available.

Before Astra begins the review, ensure that:

  • The source code is present on the machine.

  • Astra has the required access to the machine.

  • Astra is permitted to install the necessary security scanning tools.

  • The machine has an active internet connection so the required tools and dependencies can be installed.

Once the environment is ready, Astra's security team will install the required tools and perform the source code review directly on the machine.

Important: Administrative permissions may be required to install the necessary security scanning tools.

What Happens Next?

After Astra receives access to your source code through either method:

  1. The security team verifies that the required access is available.

  2. The source code review begins.

  3. If any additional information or access is required during the review, the Astra team will contact you.

Best Practices

  • Use a password-protected ZIP file when sharing source code.

  • Share the ZIP password separately from the file.

  • Ensure the source code provided is the latest version intended for review.

  • If providing repository access, verify that Astra has permission to clone the repository.

  • If providing a machine, confirm that internet connectivity and installation permissions are available before the review begins to avoid delays.

FAQs

Which method is recommended?

Sharing the source code as a password-protected ZIP file or providing access to your Git repository is the recommended approach, as it allows Astra to begin the review more quickly.

Can I share a private GitHub repository?

Yes. You can provide Astra with access to a private Git repository. Astra will securely clone or download the repository for the review.

Why does Astra need to install tools on my machine?

The required security scanning tools are used to perform static code analysis and support the source code review. These tools must be installed on the machine where the source code is available.

Does the machine need internet access?

Yes. Internet access is required so Astra can install the necessary security scanning tools and any required dependencies.

What if I cannot share my source code?

If sharing the source code directly isn't possible due to internal policies, you can provide Astra with access to a machine where the source code is available, provided the required permissions and internet connectivity are in place.