Skip to content
  • There are no suggestions because the search field is empty.

Aspen Adapt Turn Real Code Activity into Targeted Secure Coding Training

This article explains how Aspen Adapt uses a secure API connection to scan commits, identify CWE patterns, and surface findings in the platform so admins can assign precise training based on real vulnerabilities quickly and efficiently.

Aspen Adapt

Aspen Adapt integrates directly with your Source Code Manager (SCM) to analyze live commit activity and identify potential code weaknesses mapped to the CWE (Common Weakness Enumeration). These findings appear within the Security Journey platform, providing administrators with clear insight into the secure-coding skills that need reinforcement across their teams.

Rather than relying on generic training or disruptive in-workflow prompts, admins can quickly prioritize the most common or impactful weaknesses and assign targeted Security Journey lessons that address those gaps.

Key benefits
  • Evidence-based training aligned to real vulnerabilities

  • Admin-controlled assignments—no PR comments or developer alerts

  • Faster, more relevant skill reinforcement

  • Scales across teams and repositories without added noise

Result

A continuous feedback loop between real code activity and secure-coding training—strengthening developer skills without interrupting developer workflow.


How It Works

Aspen Adapt uses your organization’s SCM to determine which training is most relevant by:

Aspen adapt links code scan results and commit metadata, to help you:

    1. Detecting potential issues aligned to CWE patterns
    2. Consolidating findings inside the Security Journey platform (including CWE number, username, email, repository, PR number, commit SHA, and timestamp)
    3. Reducing review time and training assignment duration

          Important: Aspen Adapt does not access source code directly. Only scan output data from your existing tools is transmitted. This ensures both security and developer privacy.

        Notes

        • Aspen: Adapt does not access source code directly
        • Only scan output data from your existing tools is transmitted
        • This ensures both security and developer privacy

        Configuration and Setup

        Prerequisites

        Before configuring Aspen Adapt, ensure the following requirements are met:

        • You are a Security Journey Admin with permission to generate and manage API keys
        • Aspen Adapt must be enabled for your tenant
        • Access to your organization’s source control system (e.g., GitHub, GitLab, Bitbucket)
        • A CI/CD pipeline or security scanning tool that produces CWE-mapped findings

        Choose Your Integration Method

        Aspen Adapt supports two methods for sending CWE findings to Security Journey. Choose the option that best fits your workflow:

        Option 1: Send Findings via API

        Use this method if you want to integrate Aspen Adapt directly with your existing tools or pipelines.

        Overview:

        • Send CWE findings to Security Journey using the Aspen Adapt API
        • Works with any CI/CD system or scanning tool
        • Provides maximum flexibility and customization

        Steps:

        1. Generate an Aspen Adapt API key from the Security Journey platform
        2. Configure your pipeline or tooling to send findings to the API
        3. Ensure findings include required metadata (e.g., CWE, commit SHA, committer email)

        Documentation:


        Option 2: Leverage the Aspen Connector

        Aspen Adapt is delivered through the Aspen Connector — a single integration that works across both GitHub Actions and GitLab CI

        Option 1: GitHub Actions 

          Incorporate the Aspen Connector into your GitHub Actions workflow. Ideal for teams already using GitHub Actions. 

          Example:

          ```yaml
          jobs:
            aspen:
              steps:
                - uses: actions/checkout@v4

                - name: Run scanner
                  run: snyk code test --sarif > results.sarif || true

                - uses: SecurityJourney/aspen-connector@v1.0.0
                  with:
                    api_token: $
                    scan_results_path: results.sarif
          ```

           

          Option 2: GitLab CI

          Example:

          ```yaml
          aspen:
            image: node:22
            rules:
              - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
            before_script:
              - git remote set-url origin "https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/${CI_PROJECT_PATH}.git"
            script:
              - npx @securityjourney/aspen-connector@1.0.0
            variables:
              ASPEN_API_TOKEN: $SECURITYJOURNEY_TOKEN
              ASPEN_SCAN_RESULTS_PATH: results.sarif
              ASPEN_INSTRUCTION_FILE_PATH: .gitlab/ai-instructions.md
          ```

          For pipelines that extract CWEs from scanner output themselves: 

          ``yaml
            variables:
              ASPEN_API_TOKEN: $SECURITYJOURNEY_TOKEN
              ASPEN_CWES: '["CWE-89","CWE-79"]'
          ```

          See the Aspen Connector on GitHub for full documentation and all configuration options. 


          Validation

          After configuring either method, trigger a scan/workflow run and confirm:

          • Findings are sent successfully
          • Data appears in Aspen Adapt with complete metadata
          • CWE number, username, email, repository, PR number, commit SHA, and timestamp are all present

          How to turn your data into a Personalized Lesson Assignments