ZeroNorth Defect Density - Measuring Your Software Quality

An Industry First

The ZeroNorth platform offers a way to measure and track the security of your software with a built-in capability to measure software Security Defect Density across any SAST or SCA scanning tool in a uniform way.

Security Defect Density

ZeroNorth’s Security Defect Density is defined as:

Number of Security Vulnerabilities / 1,000 Source Lines of Code


  • Number of Security Vulnerabilities - the count of security issues, prior to any compression / de-duplication by ZeroNorth’s Issue synthesis.
  • Source Lines of Code (“SLOC”) - Line count performed by the ZeroNorth platform, independent of the scanning tool.

The definition of “SLOC” is key because while some scanners report defect density, there is lack of consistency between scanning tools for the SLOC measurement. ZeroNorth’s unified approach brings consistent measurement across projects and across scanning tools that those projects are scanned with.

How It Works

Of the two main ingredients for ZeroNorth Security Defect Density, the Issues count (the numerator) is always available to ZeroNorth, whether the ZeroNorth scan Policy is for an orchestrated scan, for a data load, or for a manual upload. The SLOC count (the denominator), however, requires ZeroNorth’s getting access to the source files. For this reason, only orchestrated scans can benefit from this feature.

The covered use cases include:

During the scan time, as a pre-processing step of a ZeroNorth-orchestrated scan, a ZeroNorth-standard SLOC count is performed on the source files of the build artifact or the code repository. Because this SLOC count is performed outside of and without dependence on the scanner tool, the SLOC count will be consistent if you were to scan that same build artifact or repository with multiple scanning tools.

How To Enable Security Defect Density

To activate ZeroNorth Security Defect Density feature, ensure that the Scenario in use for the orchestrated scan Policy has the “Calculate Lines of Code” flag turned on:

From this point on, all ZeroNorth Policies that use the above Scenario will compute the ZeroNorth-standard SLOC count when the source file are available.

For onprem scan use cases, ensure that the ZeroNorth container image zeronorth/marmalade-runner is pulled and accessible to the Integration Container or the Integration Orchestrator. Contact for access to the ZeroNorth Docker container images.

Viewing the ZeroNorth Security Defect Density

To view the ZeroNorth Security Defect Density information:

  1. Sign in to the ZeroNorth UI .
  2. Navigate to znHUB > Target Dashboard .
  3. Select a Target that has been scanned using a Policy that uses a SLOC-activated Scenario.
  4. Click on the Defect Statistics tab:
    Within the viewer: