When to use a scan
Run a repository-wide scan when:- you connect an unfamiliar repository
- a production incident suggests systemic risk
- you need to inspect dependencies, secrets, licenses, or public APIs
- a pull request finding points to a wider architectural problem
- you are preparing a remediation plan
Review categories
The hosted product may expose focused scan categories for areas such as:- dependency and supply-chain risk
- secrets and sensitive configuration
- license compliance
- static security analysis
- API surface and runtime compatibility
- code quality and architecture
- business logic and payment flows
- frontend health and accessibility
Review scan results
Start with high-impact findings
Prioritize exploitable security issues, exposed credentials, authorization failures, and data integrity risks.
Verify the evidence
Open the affected code and confirm that the finding reflects runtime behavior and repository context.
Group related findings
Fix shared causes such as an outdated dependency, missing authorization layer, or repeated unsafe pattern.
Assign remediation work
Turn verified findings into owned work with a clear priority and acceptance criteria.
A scan finding is evidence for investigation. Confirm exploitability and business impact before treating it as a production vulnerability.