Skip to main content

Overview

Cysmiq can publish scan updates back to connected version control systems. These updates help developers see scan progress and final scan results from commits and pull requests. Use VCS Status & PR Decoration settings to control these updates at the workspace, organization, or repository level.

Settings

The settings panel has two controls:
SettingWhat it controls
VCS status checksPosts scan status updates to commits and pull requests across connected VCS providers.
PR decorationAdds pull request comments or check summaries when scans finish and the scan is linked to a pull request.
Both settings are enabled by default unless your deployment or a more specific scope disables them.

Where to configure settings

Owners and users with the relevant settings permission can configure VCS status behavior in these places:
ScopeWhere
WorkspaceWorkspace settings, in VCS Status & PR Decoration.
OrganizationOrganization detail page, Settings tab.
RepositoryRepository detail page, Settings tab.
Repository settings are available when the repository is enabled. If the repository itself is disabled, Cysmiq does not keep repository data up to date and does not publish provider statuses for that repository until scanning is re-enabled.

Inheritance

VCS status settings inherit from broader scopes until you set an override.
Scope being configuredInherits from
RepositoryRepository override, then organization hierarchy, then workspace default, then global default.
OrganizationOrganization override, then parent organizations, then workspace default, then global default.
WorkspaceWorkspace default, then global default.
When a scope has its own setting, the UI shows it as an override. Use Reset overrides to return that scope to the inherited value.

Provider behavior

Cysmiq uses the supported status mechanism for each connected provider.
ProviderStatus updatesPull request decoration
GitHubCheck runs and commit statusesPull request comments or check summaries
GitHub Enterprise ServerCheck runs and commit statusesPull request comments or check summaries
GitLabCommit statusesMerge request comments
Self-managed GitLabCommit statusesMerge request comments
Bitbucket CloudCommit statusesPull request comments
Bitbucket Data CenterCommit statusesPull request comments
The exact content of provider updates can change as scan reporting evolves. Use the settings page to control whether Cysmiq publishes those updates, not to configure the content of each provider message.

VCS status checks

Cysmiq can publish separate VCS status checks so scan execution, pull request assessment, and policy enforcement are visible independently. Provider UI names vary: GitHub groups check runs and commit statuses under status checks, GitLab shows commit statuses, and Bitbucket can show commit statuses as build statuses.
VCS status checkWhat it represents
Cysmiq ScanThe security scan lifecycle and terminal scan result. It starts as queued or in progress, then reports the terminal status and result, such as completed, completed with errors, failed, skipped, aborted, cancelled, or passed when no unresolved actionable vulnerabilities remain.
Cysmiq PR AssessmentThe pull request vulnerability assessment for the current PR head. It can pass, fail, remain pending while required snapshot data is unavailable, be neutral when evaluation is not required, or be unavailable when Cysmiq cannot evaluate the current PR state.
Cysmiq PoliciesPolicy enforcement for the pull request or commit. It runs after scan completion when policies are available, fails for blocking policy violations or policy evaluation failures, and passes when there are no blocking violations. Warning-only policy violations do not block this check.
These statuses can have different outcomes on the same pull request. For example, the scan can complete while policy enforcement fails because a blocking policy violation exists. In the Cysmiq Scans view, the Result column summarizes related pull request, provider check, or scan outcomes. See Scan list view.

What disabling affects

Disabling VCS status checks stops Cysmiq from publishing new status updates for the selected scope. If Cysmiq already created a provider status for an active scan, it may still publish a final close-out update so the provider view does not remain stuck in an in-progress state. Disabling PR decoration stops Cysmiq from publishing pull request decoration for scans in the selected scope. The repository Enable setting controls whether a repository scans at all. When a repository is disabled, Cysmiq blocks scanning and provider status publishing for that repository. Existing provider checks may remain unchanged until the repository is re-enabled and scanned again. These settings do not:
  • Disable repository scanning
  • Delete existing scans, findings, or pull request comments
  • Change vulnerability status or assignment
  • Change VCS integration sync or repository access
  • Hide scan results inside Cysmiq
Use the repository Enable setting when the goal is to stop scanning a repository.