FAQ

How long do scans take?

Scan time depends on repository size and configuration. Large monorepos may take longer, especially on first scan.

Can we scan private repositories?

Yes. Access is controlled by your organization and tenant permissions.

Do scans modify our code?

No. Scans are read-only unless you explicitly apply a fix workflow.

How do we reduce false positives?

Use policy bundles and thresholds approved by your security team.

Can we enforce policy in CI?

Yes. Your admin can enable policy gates to fail builds for specific severities.

How do we handle exceptions?

Use your internal risk acceptance process and document the rationale.

How does voting work?

Rule proposals are reviewed in the Policy tab. Multiple reviewers must approve before a proposal can be promoted. Promotions are staged (e.g., canary before enforce) to reduce risk.

How does this support the community?

When enabled, your feedback and proposal votes contribute to shared rule quality and safer defaults. Participation is opt-in and governed by your policy settings.