How ICBC Built an Enterprise‑Scale Code Scanning Center to Boost Software Security

Background and Challenges

In recent years, the increasing number of software vulnerabilities worldwide and frequent information‑security incidents in the financial sector have made system and application security unavoidable challenges for commercial banks.

To enhance the security of their applications and reduce risk, banks commonly adopt third‑party code‑security scanning tools to perform static analysis during development, strengthening risk control from the source.

However, as banks adopt a wider range of programming languages, the limitations of existing scanning tools become apparent:

Different tools support different languages and focus areas, requiring a combination of tools to meet development needs.

Scanning rules are scattered across tools, creating rule islands.

Varied usage methods and rule configurations increase learning costs.

Code Scanning Center Construction Approach and Practice

ICBC has long emphasized software security and, in 2022, built an enterprise‑level code scanning center, establishing a three‑in‑one management system of "Unified Capability, Unified Rules, Unified Services".

1. Building Comprehensive Security Detection Capability

The center aggregates capabilities for static application security testing (SAST), software composition analysis (SCA), and dynamic application security testing (DAST). It creates a core scanning engine driven by unified rules and modular components that can be reused, plugged in, and assembled as external services.

For example, components can be integrated into quality gates to automatically scan code at check‑in based on language and rule criteria, blocking vulnerable code from entering the repository.

2. Improving the Code Detection Rule System

Standardizing rules : Define naming conventions, vulnerability types, background information, and remediation suggestions to ensure consistency and readability, consolidating previously scattered rules into a unified rule library.

Layered rule scope : Establish enterprise‑level, domain‑level, and application‑level rule tiers. Enterprise‑level rules apply to all applications, domain‑level rules target specific business areas (e.g., big‑data requirements), and application‑level rules address individual application needs.

3. Providing One‑Stop User Services

The platform integrates project, user, configuration, report, and vulnerability management, enabling users to complete all operations through a single interface.

A "drag‑and‑drop + auto‑trigger" model simplifies usage: users place scanning components on a graphical canvas, select parameter templates, and trigger scans immediately or on schedule, reducing manual steps.

Results and Outlook

By February 2023, ICBC’s code scanning center had been deployed across the software development center, domestic and overseas branches, and subsidiaries, covering 24 programming languages, over 3,000 scanning rules, executing more than 600,000 scan tasks on over 3.1 billion lines of code, continuously improving code quality and system security.

Looking forward, ICBC plans to strengthen security orientation by leveraging big data, artificial intelligence, and natural language processing to further advance the code scanning center and support the "Digital ICBC" initiative.