Scan Modes
Understand the difference between Secbez PR scans and full repository scans — when to use each and what to expect.
Secbez supports two scanning modes, each designed for different use cases.
PR scan (diff scan)
Triggered automatically when you open or update a pull request. Scans only the files changed in the PR.
- Speed: Fast (typically under 2 minutes)
- Scope: Changed files only
- Results: Posted as a GitHub Check Run on the PR
- Best for: Catching new vulnerabilities before they're merged
Note: PR scanning (diff mode) is currently under active development. Coverage and accuracy will continue to improve with each release.
Full repository scan
Triggered manually from the dashboard or on first connection. Scans the entire codebase.
- Speed: Slower (depends on repository size, typically 2-10 minutes)
- Scope: All supported files in the repository
- Results: Available on the Secbez dashboard
- Best for: Getting a baseline assessment, periodic audits, or scanning after configuration changes
When to use each
| Scenario | Recommended mode |
|---|---|
| Day-to-day development | PR scan (automatic) |
| First time connecting a repo | Full scan |
| After major refactoring | Full scan |
| Before a release | Full scan |
| Routine PR review | PR scan (automatic) |