Run Your First Scan
Triggering a Scan
There are several ways to start a scan:
From the Repositories Page
Automatic First Scan
If you imported repositories during onboarding, CodeStax automatically triggers your first scan using the scan type you selected in the wizard.
Scan Progress
Once a scan is triggered:
- Queued — The scan is waiting for a scanner to become available
- In Progress — Scanners are actively analyzing your code
- Completed — Results are ready for review
The dashboard auto-refreshes every 5 seconds so you can see progress in real time.
Understanding Scan Results
Navigate to Dashboard → Scans to see all scan results.
Scan Summary
Each completed scan shows:
- Repository name and scan type (Smart/Deep)
- Status — Clean (no issues), or the number of issues found
- Severity breakdown — Critical, High, Medium, Low
- Scan duration
Issue Details
Click on a scan to see detailed findings:
| Field | Description |
|---|---|
| Severity | Critical, High, Medium, or Low |
| Title | Brief description of the vulnerability |
| File | File path and line number where the issue was found |
| Scanner | Which scanner detected it (SAST, SCA, etc.) |
| CWE | Common Weakness Enumeration reference |
| CVSS Score | Standardized severity score (0-10) |
| EPSS Score | Exploit Prediction Scoring (probability of exploitation) |
| Remediation | AI-generated fix suggestion with code examples |
Security Score
After your first scan, you’ll see a Security Score (0-100) on the dashboard:
- 80-100 — Excellent
- 50-79 — Good, but has areas to improve
- Below 50 — Needs attention
This score is calculated from your compliance posture across all scanned repositories.
What Gets Scanned
Smart Scan Tools
| Tool | What It Checks |
|---|---|
| SAST | OWASP Top 10, injection flaws, XSS, insecure crypto, auth issues |
| Code Quality | Code quality, security patterns, and static analysis |
Deep Scan (adds)
| Tool | What It Checks |
|---|---|
| SCA | Known CVEs in npm, pip, Maven, Go, and 5 more package ecosystems |
| Secrets | API keys, passwords, tokens, private keys in your codebase |
| IaC | Terraform, Kubernetes, CloudFormation, and Dockerfile misconfigurations |
| Container | Dockerfile security best practices |
| AI Enrichment | LLM-powered remediation advice for every finding |
| CVSS/EPSS Scoring | Industry-standard vulnerability scoring |
| Vulnerability Correlation | Deduplication across multiple scanners |
Test File Filtering
CodeStax automatically excludes test and fixture files to reduce false positives. Common test frameworks, story files, end-to-end test suites, and mock/fixture directories are filtered out.