Aspen Adapt Turn Real Code Activity into Targeted Secure Coding Training
This article explains how Aspen Adapt uses a secure API connection to scan commits, identify CWE patterns, and surface findings in the platform so admins can assign precise training based on real vulnerabilities quickly and efficiently.
Aspen Adapt
Aspen Adapt integrates directly with your Source Code Manager (SCM) to analyze live commit activity and identify potential code weaknesses mapped to the CWE (Common Weakness Enumeration). These findings appear within the Security Journey platform, providing administrators with clear insight into the secure-coding skills that need reinforcement across their teams.
Rather than relying on generic training or disruptive in-workflow prompts, admins can quickly prioritize the most common or impactful weaknesses and assign targeted Security Journey lessons that address those gaps.
Key benefits
-
Evidence-based training aligned to real vulnerabilities
-
Admin-controlled assignments—no PR comments or developer alerts
-
Faster, more relevant skill reinforcement
-
Scales across teams and repositories without added noise
Result
A continuous feedback loop between real code activity and secure-coding training—strengthening developer skills without interrupting developer workflow.
How It Works
Aspen Adapt uses your organization’s SCM to determine which training is most relevant by:
Aspen adapt links code scan results and commit metadata, to help you:
-
- Detecting potential issues aligned to CWE patterns
- Consolidating findings inside the Security Journey platform (including CWE number, username, email, repository, PR number, commit SHA, and timestamp)
- Reducing review time and training assignment duration
Important: Aspen Adapt does not access source code directly. Only scan output data from your existing tools is transmitted. This ensures both security and developer privacy.
Notes
- Aspen: Adapt does not access source code directly
- Only scan output data from your existing tools is transmitted
- This ensures both security and developer privacy
Configuration and Setup
Prerequisites
Before configuring Aspen Adapt, ensure the following requirements are met:
- You are a Security Journey Admin with permission to generate and manage API keys
- Aspen Adapt must be enabled for your tenant
- Access to your organization’s source control system (e.g., GitHub, GitLab, Bitbucket)
- A CI/CD pipeline or security scanning tool that produces CWE-mapped findings
Choose Your Integration Method
Aspen Adapt supports two methods for sending CWE findings to Security Journey. Choose the option that best fits your workflow:
Option 1: Send Findings via API
Use this method if you want to integrate Aspen Adapt directly with your existing tools or pipelines.
Overview:
- Send CWE findings to Security Journey using the Aspen Adapt API
- Works with any CI/CD system or scanning tool
- Provides maximum flexibility and customization
Steps:
- Generate an Aspen Adapt API key from the Security Journey platform
- Configure your pipeline or tooling to send findings to the API
- Ensure findings include required metadata (e.g., CWE, commit SHA, committer email)
Documentation:
Option 2: Leverage the Aspen Connector
Aspen Adapt is delivered through the Aspen Connector — a single integration that works across both GitHub Actions and GitLab CI.
Option 1: GitHub Actions
Incorporate the Aspen Connector into your GitHub Actions workflow. Ideal for teams already using GitHub Actions.
Example:
```yamljobs: aspen: steps: - uses: actions/checkout@v4 - name: Run scanner run: snyk code test --sarif > results.sarif || true - uses: SecurityJourney/aspen-connector@v1.0.0 with: api_token: $ scan_results_path: results.sarif```
Option 2: GitLab CI
Example:
```yaml
aspen:
image: node:22
rules:
- if: $CI_PIPELINE_SOURCE == 'merge_request_event'
before_script:
- git remote set-url origin "https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/${CI_PROJECT_PATH}.git"
script:
- npx @securityjourney/aspen-connector@1.0.0
variables:
ASPEN_API_TOKEN: $SECURITYJOURNEY_TOKEN
ASPEN_SCAN_RESULTS_PATH: results.sarif
ASPEN_INSTRUCTION_FILE_PATH: .gitlab/ai-instructions.md
```
For pipelines that extract CWEs from scanner output themselves:
``yaml
variables:
ASPEN_API_TOKEN: $SECURITYJOURNEY_TOKEN
ASPEN_CWES: '["CWE-89","CWE-79"]'
```
See the Aspen Connector on GitHub for full documentation and all configuration options.
Validation
After configuring either method, trigger a scan/workflow run and confirm:
- Findings are sent successfully
- Data appears in Aspen Adapt with complete metadata
- CWE number, username, email, repository, PR number, commit SHA, and timestamp are all present