Secbez Docs

Configuration

Configure Secbez — repository scope, policy, suppressions, baselines, and notifications.

Most configuration lives on the Secbez dashboard, scoped per-repository. This page is a reference for what's configurable and where it lives.

Repository scope

Manage which repositories Secbez can see from GitHub:

  1. GitHub → Settings → Applications → Installed GitHub Apps → Secbez → Configure.
  2. Switch between All repositories and a specific selection.

Removing a repository from the selection stops new scans but does not delete existing findings.

Per-repository settings

On the dashboard, Repository → Settings exposes:

Scan behavior

  • Default branch — the reference branch for baseline diffs and full scans.
  • Additional protected branches — extra branches whose PRs should also be scanned (defaults to the default branch only).
  • Scan triggers — PR open/sync, push to protected branch, scheduled, manual.
  • Path includes / excludes — restrict the scan to specific directories or skip generated paths (e.g., dist/, vendor/, third-party SDKs).

Policy

  • Severity / confidence thresholds for warn and fail outcomes.
  • Per-rule overrides — promote or demote specific rule IDs.
  • Per-path overrides — different thresholds for production code vs. tests / scripts.
  • needs-review handling — gate, warn, or pass.

See Policy & Merge Checks for the threshold model.

Suppressions

  • Active suppressions — view and edit the server-side suppression list.
  • Inline marker enforcement — require a reason on every inline marker.

Baseline

  • Active baseline scan — the scan run that defines the current baseline.
  • Re-baseline — set the next full scan as the new baseline.

Notifications

  • Slack / Microsoft Teams / email integrations for new high-severity findings, gate failures, and scheduled scan summaries.
  • Webhooks for downstream automation.

Organization-level settings

The organization dashboard exposes:

  • Member roles (owner, admin, member, read-only).
  • API tokens for programmatic access.
  • Audit log export.

Self-hosted / Enterprise

Self-hosted deployments are configured through environment variables and a license bundle. The full configuration surface — model routing, GPU selection, graph engine sizing, queue backend, storage, license — is documented under Enterprise → Configuration.

Customer-facing dashboard settings remain the same regardless of deployment model.

On this page

Repository scopePer-repository settingsScan behaviorPolicySuppressionsBaselineNotificationsOrganization-level settingsSelf-hosted / Enterprise