> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cysmiq.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Scans

> Security analyses that run on your repositories.

## Overview

Scans are the security analyses Cysmiq runs against your repositories. Scans start automatically when repositories are onboarded and run on push events to branches and tags.

For the table view of scan runs, see [Scan list view](/scanning/scan-list-view).

## Scan types

Cysmiq uses scan types that reflect why a scan ran and which ref it covers:

* **Full scan**: Analyzes the entire repository. Runs when a repository is first onboarded or after a reset. Includes secrets, code vulnerabilities, and dependency analysis. Git history scanning runs as a separate scan when enabled.

* **Incremental scan**: Analyzes only the changes since the last scan. Faster than full scans while focusing on recent changes.

* **Branch scan**: Analyzes a branch ref when Cysmiq needs branch-specific results.

* **Tag scan**: Analyzes a tag ref when a VCS tag event triggers scanning.

## What scans detect

Each scan analyzes your code for:

* **Secrets**: Leaked credentials, API keys, and tokens
* **Code vulnerabilities**: Security issues in your source code
* **Dependencies**: Vulnerable packages in your dependency tree

See [Secrets](/scanning/secrets), [Code](/scanning/code), and [Dependencies](/scanning/dependencies) for details on each category.

## Scan triggers

| Trigger              | Scan type                  |
| -------------------- | -------------------------- |
| Repository onboarded | Full scan                  |
| Push to branch       | Incremental or branch scan |
| Push to tag          | Tag scan                   |
| Repository reset     | Full scan                  |

## VCS status updates

When a push event is associated with a pull request, Cysmiq can publish scan status updates and pull request decoration to connected VCS providers. See [VCS status updates](/scanning/vcs-status-updates) for supported providers, settings, and inheritance behavior.

## Scan status

Cysmiq tracks scan lifecycle status separately from VCS or pull request result. Lifecycle status describes where the scan is in the analysis pipeline. Result describes the provider check or current pull request evaluation outcome when Cysmiq has that data.

Common lifecycle states include:

* **Queued**: Waiting to start
* **In Progress**: Actively scanning
* **Processing**: Post-scan processing
* **Finalizing**: Wrapping up results
* **Completed**: Finished successfully
* **Completed with Errors**: Finished with non-blocking failures
* **Failed**: Encountered an error
* **Skipped**: Not run due to conditions or limits
* **Aborted**: Stopped before completion
* **Cancelled - No SWUs**: Stopped because Shift Work Units balance was insufficient
* **Recovering**: Retrying after failures

Result labels can come from a pull request evaluation, a provider check, or the scan status when no PR evaluation or provider check outcome is available. Examples include **PR passed**, **PR failed**, **PR unavailable**, **PR neutral**, **PR pending**, **Check passed**, **Check failed**, **Check neutral**, **Check pending**, **Scan passed**, **Scan failed**, **Scan neutral**, and **Scan pending**.

## Related concepts

* [Scan list view](/scanning/scan-list-view): review scan runs, filters, and exports
* [VCS status updates](/scanning/vcs-status-updates): control status checks and pull request decoration
* [Vulnerabilities](/concepts/vulnerabilities): findings from scans
