Smart vs Deep Scans
CodeStax offers two scan modes to balance speed and thoroughness.
Smart Scan
Best for: Frequent checks, PR reviews, daily monitoring
Smart Scan runs a focused set of SAST tools optimized for speed and low false positives.
What Runs
| Tool | Purpose | Languages |
|---|---|---|
| Semgrep | SAST with OWASP + CWE rulesets | 30+ languages |
| Ruff | Fast Python linting | Python |
| Bandit | Python security analysis | Python |
| ESLint | JS/TS security patterns | JavaScript, TypeScript |
Characteristics
- Speed: Completes in 1-5 minutes for most repositories
- Confidence: 70-80%+ accuracy
- False Positives: Minimized through lighter rulesets
- Cost: Counts as 1 scan against your monthly quota
Deep Scan
Best for: Release preparation, compliance audits, main branch scans
Deep Scan runs all available scanners plus AI-powered enrichment.
What Runs
Everything in Smart Scan, plus:
| Tool | Purpose |
|---|---|
| Trivy | Dependency vulnerability scanning (SCA) |
| Gitleaks | Secret and credential detection |
| Checkov | Infrastructure-as-Code scanning |
| Hadolint | Dockerfile security analysis |
| AI Enrichment | LLM-generated remediation for each finding |
| CVSS/EPSS | Industry-standard vulnerability scoring |
| Correlation Engine | Deduplication and attack chain detection |
Characteristics
- Speed: 5-20 minutes depending on repository size
- Confidence: 90%+ accuracy
- Coverage: Full security posture including dependencies, secrets, and infrastructure
- Cost: Counts as 1 scan against your monthly quota
Choosing the Right Scan Type
| Scenario | Recommended |
|---|---|
| Every push to a feature branch | Smart Scan |
| Pull request review | Smart Scan |
| Merge to main/production | Deep Scan |
| Weekly/monthly security audit | Deep Scan |
| Pre-release verification | Deep Scan |
| Quick check during development | Smart Scan |
Default Scan Types
Configure defaults in Settings → General → Scanning Preferences:
- Default Repository Scan Type — Used when clicking “Scan” from the repositories page
- Default PR Scan Type — Used for automated PR reviews
- Default SCA Scan Type — Standard or Enhanced (with AI Enrichment)