Frequently Asked Questions

General

What is CodeStax?

An AI-powered code security platform that scans repositories for vulnerabilities, insecure dependencies, exposed secrets, and infrastructure misconfigurations. Integrates with GitHub and Bitbucket for automated security on every commit and pull request.

What languages does CodeStax support?

30+ languages for SAST (Python, JavaScript, TypeScript, Java, Go, Ruby, PHP, C#, Kotlin, Swift, Rust, and more). 9 ecosystems for SCA (npm, pip, Maven, Gradle, Go, Cargo, Composer, RubyGems, NuGet). See Scanner Details for the full list.

Is my code stored on CodeStax servers?

No. Code is cloned temporarily for scanning and deleted immediately after. Only scan results (findings, scores, metadata) are retained.

Does CodeStax work with private repositories?

Yes. When you connect your GitHub or Bitbucket account, CodeStax uses your OAuth tokens to securely access private repositories.

Scanning

What’s the difference between Smart Scan and Deep Scan?

Smart Scan — Fast, runs SAST + Code Quality. Best for PRs and daily checks. Deep Scan — Thorough, adds all security engines plus AI enrichment. Best for releases and audits. See Smart vs Deep Scans.

How long does a scan take?

Smart Scan completes in minutes. Deep Scan takes longer for thorough analysis. Scans that remain in a pending or running state for an extended period are automatically marked as failed.

Can I exclude files from scanning?

Yes. Configure exclude paths for each repository in the SCA settings.

PR Reviews

How do I enable automated PR reviews?

Import a repository, enable Auto-scan on Push, and open a pull request — CodeStax reviews it automatically. See PR Reviews.

What does the risk score mean?

0–24 = Low, 25–49 = Medium, 50–74 = High, 75–100 = Critical. See PR Reviews for details.

API & CI/CD

How do I get an API key?

Go to Settings → API Keys → Generate New Key. The key is shown only once. See API Authentication.

Can I trigger scans from CI/CD?

Yes:


curl -X POST \
  -H "X-API-Key: your_api_key" \
  -H "Content-Type: application/json" \
  -d '{"type": "smart"}' \
  https://codestax.co/api/scans/trigger/{repo_id}

See API Endpoints for the full reference.

Billing

Can I try CodeStax for free?

Yes. The Free plan includes repositories, scans, and basic SAST — no credit card required.

What happens when I hit my scan limit?

You can’t trigger new scans until the limit resets next billing period, or you upgrade. See Plans & Billing.

How does per-seat pricing work?

You pay per user. Scan limits scale per seat with generous limits that grow with your plan tier.

Support

How do I get help?

Documentation — You’re reading it!
Email — support@codestax.co