Methodology

What codescan.dev checks

codescan.dev runs automated checks against GitHub repositories — public, or private when you sign in with GitHub — and turns the findings into a shareable security report card. The goal is to give maintainers and reviewers a quick baseline before deeper review.

Checks included

Semgrep

Risky code patterns

Static rules look for code patterns that commonly lead to security bugs, such as unsafe templating, input handling mistakes, and other framework-specific issues.

Gitleaks

Exposed keys

Secret detection looks for committed credentials, API keys, tokens, private keys, and related high-risk strings in the repository.

Trivy

Outdated packages

Dependency analysis checks detected packages against known vulnerability data and reports affected package versions, CVEs, severity, and fixed versions when available.

What appears in a report

Each completed scan is summarized into a result page and a Markdown report. Fields depend on what the scanners detect and what metadata is available for the repository.

  • Letter grade and total score
  • Category summaries for risky code, exposed keys, and outdated packages
  • Scanner versions when reported by the backend
  • Finding severity, rule names, CVEs, file paths, line numbers, and fixed versions when available
  • Shareable result URL and downloadable Markdown report

How to interpret the grade

The grade is a fast summary of the number and severity of findings. It is useful for triage, but the detailed findings are the part that should drive fixes.

  • Start with critical and high-severity findings.
  • Rotate any confirmed exposed secret before treating the scan as resolved.
  • Update vulnerable dependencies before lower-priority cleanup.
  • Use the grade as a quick signal, then inspect the detailed findings.

What it does not check

Runtime testing

Scans do not start the application, crawl a deployed service, log in as users, or test live endpoints.

Architecture and business logic

Automated checks cannot fully judge authorization design, tenant isolation, payment logic, threat models, or reviewer intent.

Compliance certification

Reports are designed to support review and prioritization. They are not compliance attestations or formal security certifications.

See the output

The example report shows the score, scanner output, and Markdown format that codescan.dev produces after a completed scan.

View example reportStart a scan