Scan Modes
Full repository scan and Deep Scan — how each mode behaves and when to use it.
Secbez has two scan modes. The standard full repository scan is available on every plan; Deep Scan is an Enterprise mode that removes scan-time caps for codebases that would otherwise hit them.
Full repository scan
A full scan analyzes the entire repository through the code graph. Every supported file is parsed, every dataflow path is resolved, and every supported detection runs against the graph.
- Trigger: Manual from the dashboard, plus optional automatic triggers configured per repository.
- Scope: All supported files in the repository (subject to plan caps).
- Speed: Depends on repository size, language mix, and graph depth — typically minutes, not hours.
- Output: Findings on the dashboard, plus a GitHub Check Run when the scan was triggered against a pull request.
- Best for: Onboarding, periodic audits, after major refactors, pre-release security checks, ongoing PR review.
The first full scan establishes the baseline. Subsequent scans separate findings into "new" (introduced since baseline) and "existing" — so review stays focused on net new risk.
Deep Scan (Enterprise)
A no-caps version of the full scan, reserved for Enterprise deployments. Deep Scan removes the per-scan limits that protect SaaS infrastructure from runaway cost — file count, candidate count, LLM call budget, graph depth, time budget — and lets the full pipeline run to completion no matter how large the repository.
| Aspect | SaaS full scan | Deep Scan (Enterprise) |
|---|---|---|
| File budget | Capped per plan | Unlimited |
| Candidate budget | Capped per scan | Unlimited |
| LLM call budget | Capped per scan | Configurable, including unlimited |
| Graph node ceiling | Bounded | Unlimited (subject to your hardware) |
| Time budget | Bounded for fairness | Unlimited; runs as long as it takes |
| Models | Hosted (managed) | Any — managed, BYO-key, or BYO open-source model |
| Compute | Secbez infrastructure | Your infrastructure / your GPUs |
Deep Scan is intended for repositories where SaaS caps would otherwise truncate the result, for security audits where every candidate must be evaluated, and for regulated environments where code never leaves customer infrastructure.
See Enterprise → Deep Scan for details.
Choosing a mode
| Scenario | Recommended mode |
|---|---|
| Onboarding a new repository | Full |
| Day-to-day work and PR review | Full |
| After a major refactor | Full |
| Pre-release security check | Full or Deep Scan |
| Audit of a large monorepo | Deep Scan |
| Regulated / on-prem requirement | Deep Scan |