Roles and Permissions
Codepure’s Role-Based Access Control (RBAC) is designed to support secure collaboration between security teams and developers. It ensures that each role has only the necessary access to perform their tasks while maintaining strong governance over security workflows.✅ Role Summary Table
| Feature / Action | Admin | AppSec | Developer |
|---|---|---|---|
| Manage users and roles | ✅ | ❌ | ❌ |
| Configure system-wide settings | ✅ | ❌ | ❌ |
| Create and manage projects | ✅ | ✅ | ❌ |
| Import projects (GitHub, GitLab, Bitbucket, Local) | ✅ | ✅ | ❌ |
| Assign projects to developers | ✅ | ✅ | ❌ |
| Run scans (SAST, SCA, Container Security, Secret Scanning) | ✅ | ✅ | ❌ |
| View all projects | ✅ | ✅ | ❌ (only assigned projects) |
| View scan results | ✅ | ✅ | ✅ (only assigned projects) |
| Approve vulnerabilities (after dev verification) | ✅ | ✅ | ❌ |
| Mark vulnerabilities as fixed / false positive | ✅ | ✅ | ✅ (only assigned projects) |
| Assign fixes to developers | ✅ | ✅ | ❌ |
| Configure integrations | ✅ | ✅ | ❌ |
| Access detailed vulnerability reports | ✅ | ✅ | ✅ (assigned projects only) |
| Leave feedback on vulnerabilities | ✅ | ✅ | ✅ (assigned projects only) |
| Request new language support | ✅ | ❌ | ❌ |
🔑 Role Descriptions
Admin
- Has full control over Codepure.
- Can manage users, roles, integrations, and system-wide settings.
- Can create and manage all projects.
- Can run scans, approve vulnerabilities, assign fixes, and manage all permissions.
- Intended for platform owners or security leads.
AppSec (Application Security Analyst)
- Can create and import projects from integrations or local sources.
- Can run scans and see all projects in the organization.
- Reviews vulnerabilities reported by the system.
- After a developer marks a vulnerability as fixed or false positive, AppSec can approve or reject that status.
- Can assign specific projects to developers for verification and fixing vulnerabilities.
- Cannot manage users, roles, or integrations.
Developer
- Has access only to projects assigned to them.
- Can view vulnerabilities for assigned projects.
- Can verify vulnerabilities by marking them as:
- ✅ Fixed (after applying a code fix), or
- 🚫 False Positive.
- Cannot run scans, approve vulnerabilities, or access other projects.
- Intended for software engineers working on fixing security findings.
⚙️ How to Assign Roles and Projects
- Navigate to User Management in the Codepure dashboard.
- Assign the role (Admin, AppSec, or Developer) to a user.
- For developers, select specific projects to grant access.
- Click Save to apply changes.
🛡️ Best Practices
- Keep Admin access limited to security leads.
- Use AppSec roles for dedicated security engineers managing scans and vulnerability approvals.
- Assign Developers only the projects they work on to maintain the principle of least privilege.
- Regularly review role assignments and project access to ensure compliance and security integrity.
This RBAC model supports secure, on-premise deployments, enabling organizations to manage security workflows while keeping full control of their data and project access.