Overview
Scans are the security analyses Cysmiq runs against your repositories. Scans start automatically when repositories are onboarded and run on push events to branches and tags. For the table view of scan runs, see Scan list view.Scan types
Cysmiq uses scan types that reflect why a scan ran and which ref it covers:- Full scan: Analyzes the entire repository. Runs when a repository is first onboarded or after a reset. Includes secrets, code vulnerabilities, and dependency analysis. Git history scanning runs as a separate scan when enabled.
- Incremental scan: Analyzes only the changes since the last scan. Faster than full scans while focusing on recent changes.
- Branch scan: Analyzes a branch ref when Cysmiq needs branch-specific results.
- Tag scan: Analyzes a tag ref when a VCS tag event triggers scanning.
What scans detect
Each scan analyzes your code for:- Secrets: Leaked credentials, API keys, and tokens
- Code vulnerabilities: Security issues in your source code
- Dependencies: Vulnerable packages in your dependency tree
Scan triggers
| Trigger | Scan type |
|---|---|
| Repository onboarded | Full scan |
| Push to branch | Incremental or branch scan |
| Push to tag | Tag scan |
| Repository reset | Full scan |
VCS status updates
When a push event is associated with a pull request, Cysmiq can publish scan status updates and pull request decoration to connected VCS providers. See VCS status updates for supported providers, settings, and inheritance behavior.Scan status
Cysmiq tracks scan lifecycle status separately from VCS or pull request result. Lifecycle status describes where the scan is in the analysis pipeline. Result describes the provider check or current pull request evaluation outcome when Cysmiq has that data. Common lifecycle states include:- Queued: Waiting to start
- In Progress: Actively scanning
- Processing: Post-scan processing
- Finalizing: Wrapping up results
- Completed: Finished successfully
- Completed with Errors: Finished with non-blocking failures
- Failed: Encountered an error
- Skipped: Not run due to conditions or limits
- Aborted: Stopped before completion
- Cancelled - No SWUs: Stopped because Shift Work Units balance was insufficient
- Recovering: Retrying after failures
Related concepts
- Scan list view: review scan runs, filters, and exports
- VCS status updates: control status checks and pull request decoration
- Vulnerabilities: findings from scans