Stage 02b · Security · 5 min
Security Scanning
Built-in security scanning — secrets, contextual analysis, CVE scan
TALKING POINT · #15
- Now that we know the app works correctly — tests pass — we need to know it's also safe to ship. Bob has built-in security scanning embedded directly into the developer workflow — not as an afterthought at the end of a release cycle, but right here in the IDE as code is being written.
- Bob has built-in security scan, and presents all security insights in Bob Findings, organized by file with line-level detail and actionable fix suggestions.
PRESENTER NOTE · #18
Open the Bob Findings tab in the bottom panel (alongside Problems, Output, Terminal). You should see findings organized by file — click into any finding to see the full detail on the right side. Point out the file name, line number, and the Bob Tip description.
TALKING POINT · #16
What you'll see there isn't just a list of errors — it's Bob's contextual analysis: reasoning about the code semantics, flagging anti-patterns, and suggesting concrete refactoring steps. For example, Bob flagged PaymentService.java and suggested storing only a masked card number in the Transaction entity instead of the full card number.
TIP · #43
From automated tests to security scanning, Bob addressed both correctness and security — areas that normally require separate tools, teams, and later checkpoints in the SDLC.This is what shift-left looks like in practice: issues were surfaced and resolved directly earlier on during dev time before any code even reached the CI/CD pipeline.
Keep in mind: Bob's security scanning is an extra layer, not a replacement for existing SAST, DAST, or vulnerability management tooling. Your enterprise security processes still apply — Bob catches issues earlier, before code leaves the developer's machine.
Backup Prompts
PRESENTER NOTE · #19
✅ As of the latest Bob version: Bob Findings is working and surfaces security insights automatically — you should see findings in the Bob Findings tab without needing to run any prompt.If Bob Findings is not showing results, use the following prompt to showcase the security scan manually:
2b · Security Scan + Analysis
▼
Scan the payment-app-java17 application for security issues in two phases:
Phase 1 — Quick scan:
- Hardcoded secrets, API keys, passwords, tokens in source and config
Phase 2 — Contextual analysis:
- Logic flaws and insecure patterns
- Missing input validation
- Anti-patterns that introduce security risk
For each issue found: show file, line number, severity, and a one-line fix recommendation.
Produce a report: SecurityScanReport.md
TALKING POINT · #17
What makes this powerful isn't just that Bob found the issues — the report includes a suggested fix for every single finding. The developer doesn't have to figure out how to fix it, Bob tells them exactly what to do. And if they want to go further, they can simply ask Bob to fix the issues listed in the report — right there in the IDE, no context switching.
PRESENTER NOTE · #20
Expect findings across two phases — hardcoded secrets and logic flaws — with a mix of HIGH, MEDIUM, and LOW severity. Each finding includes the exact file name and line number. Walk the audience through the severity breakdown and highlight a couple of specific findings that are most relatable to the audience.
TIP · #44
The cost of this security scan is ~0.08 bobcoins.