Overview
Scans are the security analyses Cysmiq runs against your repositories. Scans start automatically when repositories are onboarded and run on push events to branches and tags.Scan types
Cysmiq uses two main scan types:- Full scan: Analyzes the entire repository. Runs when a repository is first onboarded or after a reset. Includes secrets, code vulnerabilities, and dependency analysis. Git history scanning runs as a separate scan when enabled.
- Incremental scan: Analyzes only the changes since the last scan. Runs on push events to branches and tags. Faster than full scans while focusing on recent changes.
What scans detect
Each scan analyzes your code for:- Secrets: Leaked credentials, API keys, and tokens
- Code vulnerabilities: Security issues in your source code
- Dependencies: Vulnerable packages in your dependency tree
Scan triggers
| Trigger | Scan type |
|---|---|
| Repository onboarded | Full scan |
| Push to branch or tag | Incremental scan |
| Repository reset | Full scan |
Pull request decoration
When a push event is associated with a pull request, Cysmiq automatically decorates the PR with scan results. This includes check status on GitHub and commit status on GitLab.Scan status
Common scan states include:- Queued: Waiting to start
- In Progress: Actively scanning
- Processing: Post-scan processing
- Finalizing: Wrapping up results
- Completed: Finished successfully
- Completed with Errors: Finished with non-blocking failures
- Failed: Encountered an error
- Skipped: Not run due to conditions or limits
- Aborted: Stopped before completion
- Recovering: Retrying after failures
Related concepts
- Vulnerabilities: findings from scans