Run Your First Scan
Triggering a Scan
There are several ways to start a scan:
From the Repositories Page
- Go to Dashboard → Repositories
- Find the repository you want to scan
- Click the Scan button
- Choose your scan type:
- Smart Scan — Fast, focused on common vulnerabilities
- Deep Scan — Comprehensive, includes all scanners + AI enrichment
- Click Start Scan
Automatic First Scan
If you imported repositories during onboarding, CodeStax automatically triggers your first scan using the scan type you selected in the wizard.
Scan Progress
Once a scan is triggered:
- Queued — The scan is waiting for a scanner to become available
- In Progress — Scanners are actively analyzing your code
- Completed — Results are ready for review
The dashboard auto-refreshes every 5 seconds so you can see progress in real time.
Timeout: Scans that remain in a pending or running state for more than 35 minutes are automatically marked as failed.
Understanding Scan Results
Navigate to Dashboard → Scans to see all scan results.
Scan Summary
Each completed scan shows:
- Repository name and scan type (Smart/Deep)
- Status — Clean (no issues), or the number of issues found
- Severity breakdown — Critical, High, Medium, Low
- Scan duration
Issue Details
Click on a scan to see detailed findings:
| Field | Description |
|---|---|
| Severity | Critical, High, Medium, or Low |
| Title | Brief description of the vulnerability |
| File | File path and line number where the issue was found |
| Scanner | Which scanner detected it (Semgrep, Trivy, etc.) |
| CWE | Common Weakness Enumeration reference |
| CVSS Score | Standardized severity score (0-10) |
| EPSS Score | Exploit Prediction Scoring (probability of exploitation) |
| Remediation | AI-generated fix suggestion with code examples |
Security Score
After your first scan, you’ll see a Security Score (0-100) on the dashboard:
- 80-100 — Excellent
- 50-79 — Good, but has areas to improve
- Below 50 — Needs attention
This score is calculated from your compliance posture across all scanned repositories.
What Gets Scanned
Smart Scan Tools
| Tool | What It Checks |
|---|---|
| Semgrep | OWASP Top 10, injection flaws, XSS, insecure crypto, auth issues |
| Ruff | Python code quality and security patterns |
| Bandit | Python-specific vulnerabilities (SQL injection, hardcoded passwords, etc.) |
| ESLint | JavaScript/TypeScript security anti-patterns |
Deep Scan (adds)
| Tool | What It Checks |
|---|---|
| Trivy | Known CVEs in npm, pip, Maven, Go, and 5 more package ecosystems |
| Gitleaks | API keys, passwords, tokens, private keys in your codebase |
| Checkov | Terraform, Kubernetes, CloudFormation, and Dockerfile misconfigurations |
| Hadolint | Dockerfile security best practices |
| AI Enrichment | LLM-powered remediation advice for every finding |
| CVSS/EPSS Scoring | Industry-standard vulnerability scoring |
| Vulnerability Correlation | Deduplication and attack chain detection |
Test File Filtering
CodeStax automatically excludes test and fixture files to reduce false positives. This includes files matching common patterns for:
- pytest, unittest, Jest, Mocha, Jasmine
- Storybook stories
- Cypress, Playwright, RSpec
- Mock and fixture directories