Skip to Content
FAQ

Frequently Asked Questions

General

What is CodeStax?

CodeStax is an AI-powered code security platform that scans your repositories for vulnerabilities, insecure dependencies, exposed secrets, and infrastructure misconfigurations. It integrates with GitHub, Bitbucket, and GitLab to provide automated security analysis on every commit and pull request.

What languages does CodeStax support?

CodeStax supports 30+ programming languages via Semgrep, including: Python, JavaScript, TypeScript, Java, Go, Ruby, PHP, C#, Kotlin, Swift, Rust, C, C++, Scala, and more.

For dependency scanning (SCA), CodeStax supports 9 package ecosystems: npm, pip, Maven, Gradle, Go, Cargo, Composer, RubyGems, and NuGet.

Is my code stored on CodeStax servers?

Code is cloned temporarily for scanning and deleted immediately after analysis. Scan results (findings, scores, metadata) are stored for your configured history period. CodeStax never stores your full source code permanently.

Does CodeStax work with private repositories?

Yes. When you connect your GitHub or Bitbucket account, CodeStax uses your OAuth tokens to securely access private repositories. Tokens are stored encrypted at rest.

Scanning

What’s the difference between Smart Scan and Deep Scan?

Smart Scan is fast (1-5 minutes) and runs SAST tools (Semgrep, Ruff, Bandit, ESLint). Best for frequent checks and PR reviews.

Deep Scan is thorough (5-20 minutes) and adds SCA, secret detection, IaC scanning, AI remediation, CVSS/EPSS scoring, and vulnerability correlation. Best for releases and audits.

Both count as 1 scan against your monthly quota.

How long does a scan take?

  • Smart Scan: 1-5 minutes for most repositories
  • Deep Scan: 5-20 minutes depending on repository size

Scans that exceed the configured timeout (default: 15 minutes, configurable up to 2 hours) are automatically stopped.

What happens to test files?

CodeStax automatically filters out test files, fixtures, mocks, and similar files to reduce false positives. This includes common patterns for pytest, Jest, Mocha, Storybook, Cypress, Playwright, and RSpec.

Can I exclude files or directories from scanning?

Yes. In the SCA settings for each repository, you can configure:

  • Exclude paths — Specific directories to skip
  • Exclude extensions — File types to ignore

Why did my scan fail?

Scans can fail for several reasons:

  • Timeout — The scan exceeded the configured time limit
  • Repository access — OAuth token expired or permissions revoked
  • Scanner error — A scanner encountered an unexpected error

Check the scan details page for the specific error message.

PR Reviews

How do I enable automated PR reviews?

  1. Import a repository from GitHub or Bitbucket
  2. Webhooks are automatically registered when you enable Auto-scan on Push
  3. Open a pull request — CodeStax will automatically review it

What does the risk score mean?

ScoreRisk Level
75-100Critical — do not merge without fixing
50-74High — significant security issues
25-49Medium — minor issues to consider
0-24Low — clean or minimal risk

API & CI/CD

How do I get an API key?

Go to Settings → API Keys and click Generate New Key. The key is shown only once — store it securely. See API Reference for usage details.

Can I trigger scans from CI/CD?

Yes. Use the API to trigger scans programmatically:

curl -X POST \
  -H "X-API-Key: your_api_key" \
  -H "Content-Type: application/json" \
  -d '{"repository_id": "repo-id", "scan_type": "smart"}' \
  https://codestax.co/api/scans/trigger

Billing

Can I try CodeStax for free?

Yes. The Free plan includes 1 repository, 5 scans/month, and basic SAST scanning — no credit card required.

What happens when I hit my scan limit?

You’ll receive a notification and won’t be able to trigger new scans until:

  • Your limit resets at the start of the next billing period, or
  • You upgrade to a higher plan

How does per-seat pricing work?

You pay per user in your organization. For example, a Team plan with 5 users costs 5 × $25 = $125/month. Scan limits scale per seat (e.g., 150 scans/seat/month × 5 seats = 750 scans/month).

Support

How do I get help?

  • Documentation — You’re reading it!
  • Emailsupport@codestax.co
  • Enterprise — Dedicated Customer Success Manager with 4-hour SLA

Where do I report bugs?

Email support@codestax.co with:

  • Description of the issue
  • Steps to reproduce
  • Screenshots if applicable
  • Your organization name
Plans & Billing