Skip to main content

Configuring Scans

After you've connected a repository, you configure which security bundles to enable, how often to run scans, and whether to scan all files or only changes. This guide walks through the scan configuration options in the platform.

Prerequisites

  • At least one repository connected (see Applications).
  • Starter plan or above (to run scans beyond the free tier).

Per-Repository Bundle Selection

When you connect a repository or view it in the Assets table, you can select which security bundles Plexicus runs on it. Each bundle is independent — enable only what you need.

  1. In Assets, click the row for your repository.

  2. Click Configure Tools (or the settings icon if you're on the detail view).

  3. In the modal, toggle each bundle on or off:

    • plexicus-sast — code vulnerabilities, injection flaws, unsafe patterns
    • plexicus-sca — vulnerable dependencies across all package managers
    • plexicus-secrets — hardcoded credentials, API keys, tokens
    • plexicus-container — Dockerfile and Kubernetes misconfigurations (Scale+)
    • plexicus-iac — Infrastructure-as-Code policy violations (Scale+)
    • plexicus-cicd — CI/CD pipeline misconfigurations (Scale+)
    • (Other bundles available per plan)
  4. Once you select bundles, click Save. The platform will use that configuration for future scans.

See Security Scanner Bundles for what each detects and parameter options.

Scan Scheduling

You can run scans on-demand or set a recurring schedule for automatic scans.

Setting a Scan Schedule

  1. Select one or more repositories in the Assets table.

  2. Click Configure Schedule.

  3. Choose a frequency:

    • None — scan only when you manually trigger a scan.
    • Weekly — automatic scan every Monday at 00:00 UTC.
    • Monthly — automatic scan on the 1st of each month at 00:00 UTC.
  4. Click Save. Future scans will run on that schedule.

Running a Scan Now

To trigger a scan immediately (regardless of schedule):

  1. In Assets, select one or more repositories.
  2. Click Scan Now.
  3. A confirmation message appears; the scan queues immediately.

Scans run asynchronously in the background. You can close the page while scans run.

Autonomous Scanning

The Autonomous Scan toggle in Settings → Platform enables automatic re-scans when new changes are detected in your repository — for example, when a pull request is merged or new commits are pushed.

  • Enabled: Plexicus monitors your repositories and runs scans automatically when activity is detected.
  • Disabled: Scans run only on your chosen schedule or when you manually click Scan Now.

If enabled, autonomous scans respect your chosen bundles and schedule configuration per repository.

Only-Changed-Files Scanning

When this option is enabled (and when your SCM integration supports it), Plexicus scans only files that have changed since the last scan — not the entire repository.

This reduces scan time and noise from pre-existing findings.

  • Supported for: GitHub, GitLab, Gitea (via commit diff).
  • Not supported for: Cloud scans, container scans, registry scans (these are always full-scope).

To enable:

  1. Go to Settings → Platform.
  2. Toggle Only-Changed-Files on or off.

The setting applies globally to all repositories on your organization.

Scan States & Status

As a scan runs, it transitions through these states in the UI:

  • Pending — scan has been queued but not yet started.
  • Running — scan is actively executing; bundles are analyzing your code.
  • Completing — scan is post-processing results; findings are being enriched with AI context.
  • Completed — scan finished successfully; findings are ready in the dashboard.
  • Stuck — scan has been running longer than expected. You can click Finalize to mark it done and recalculate findings, or use Re-Scan to restart from scratch.
  • Failed — scan encountered an error. Check the logs or retry.

You can view the status of recent scans in the Assets table under the "Status" column.

Re-Scanning a Repository

To clear existing findings and run a fresh scan:

  1. In Assets, find the repository row.
  2. Click the row menu (⋯) and select Re-Scan.
  3. Confirm the action. This deletes all existing findings for that repository and starts a new scan.

Re-scanning is useful when:

  • You've updated your configuration and want fresh results.
  • A previous scan failed or got stuck.
  • You're investigating a specific change and want a clean slate.

Scan Parameters & Advanced Configuration

For fine-tuned control, each bundle exposes parameters like severity level, excluded paths, and bundle-specific options.

See Security Scanner Bundles for a reference of all available parameters and how to configure them.

See Also