Skip to content

Cross-Reference: CI/CD + Pentest

When a client has both CI/CD code review and a pentest engagement for the same repository, findings are automatically cross-referenced to provide a comprehensive security view.

How Cross-Referencing Works

graph LR
    A["CI/CD Code Review<br/>(white-box)"] --> C["Cross-Reference<br/>Engine"]
    B["Pentest<br/>(black-box)"] --> C
    C --> D["Confirmed by both<br/>(high confidence)"]
    C --> E["Code review only<br/>(may be FP or not exposed)"]
    C --> F["Pentest only<br/>(logic bugs, config issues)"]

    style A fill:#7b1fa2,color:#fff
    style B fill:#0277bd,color:#fff
    style C fill:#00838f,color:#fff
    style D fill:#2e7d32,color:#fff
    style E fill:#f57f17,color:#000
    style F fill:#e65100,color:#fff

Matching Algorithm

Findings are matched using three strategies:

Match Type Method Confidence
Exact Same CWE identifier (e.g., CWE-89 = CWE-89) 95%
Related Same vulnerability group (e.g., both are "injection" type) 70%
Same endpoint Both reference the same URL path or code file 50%

Vulnerability Groups

Group Keywords
injection sqli, nosqli, cmdi, ldapi, xss, ssti, xxe
auth authentication, session, jwt, oauth, saml
crypto tls, ssl, encryption, hash, crypto
ssrf ssrf, server-side request forgery
access idor, access control, privilege, authorization
secrets secret, credential, api key, password, token

Report Output

The cross-reference generates a markdown section included in the pentest report:

## Code Review Coverage

- CI/CD findings: 12
- Blackbox findings: 8
- Cross-validated matches: 5
- Coverage overlap: 50.0%

### Confirmed by Both

| Code Review | Pentest | Type | Match | Confidence |
|-------------|---------|------|-------|------------|
| CR-FINDING-001 | FINDING-003 | sql-injection | exact | 95% |
| CR-FINDING-004 | FINDING-007 | xss | exact | 95% |
| CR-FINDING-006 | FINDING-002 | auth | related | 70% |

### Code Review Only (not confirmed by blackbox)

These may be false positives, or bugs not exposed at runtime:

- CR-FINDING-002 (hardcoded secret in test file)
- CR-FINDING-008 (unsafe deserialization in unused code path)

### Blackbox Only (not found by code review)

Logic bugs, configuration issues, or runtime-only vulnerabilities:

- FINDING-001 (business logic race condition)
- FINDING-005 (HTTP request smuggling)

Setup

Option 1: Automatic (via .bedefended.yml)

pentest:
  engagement-ref: "acme-webapp-2026"
  auto-crossref: true

When engagement-ref matches an existing pentest engagement name, CI reviews are automatically linked.

Option 2: CLI Command

bd-review crossref \
  --input review-results.json \
  --engagement-dir ./engagements/acme-webapp-2026/ \
  --output crossref-report.md

Option 3: During Pentest

When running /pentest https://target.com --code-review https://github.com/org/repo, the pentest engine automatically imports CI findings from the dashboard and uses them as code-insights.json for Phase CR-5 correlation.

Value for Clients

Scenario Client Benefit
Finding in both High confidence it's a real vulnerability. Prioritize fix
Code review only Could be dead code, unreachable path, or FP. Lower priority unless in critical module
Pentest only Logic bugs, config issues, infra problems. Can't be caught by static analysis
Neither found Coverage gap. May need manual review or specialized testing

Bundle Pricing

Clients with both CI/CD and pentest for the same repo get ~33% discount on the Professional CI tier (EUR 99 vs EUR 149/month).