Documentation

GitHub App — Overview

How the CodeSentinel GitHub App protects your repository.

The CodeSentinel GitHub App installs on your GitHub organization or personal account and automatically scans every pull request before it is merged. It integrates with GitHub Checks, adds inline code review comments, and can block merges when critical vulnerabilities are detected.

How a PR scan works

  1. 1

    A pull request is opened or updated against any protected branch.

  2. 2

    GitHub sends a pull_request webhook to CodeSentinel.

  3. 3

    CodeSentinel fetches the diff (changed lines only, never full file content).

  4. 4

    The diff is scanned against the configured rule set.

  5. 5

    Results are posted as a GitHub Checks run with pass/fail status.

  6. 6

    Inline review comments are added to the affected lines in the PR.

  7. 7

    If mergePolicy.blockOn rules match, the status check is marked failed, preventing merge.

What gets scanned

Only the changed lines in the diff are scanned — not the entire file. This keeps scans fast (average 2.3 s) and avoids noise from pre-existing issues in code you haven't touched.

Diff-only scanning has a tradeoff

If an existing function is insecure and your PR adds a call to it, the vulnerability may not be flagged because the function definition is not in the diff. Use the VS Code plugin for full-file scanning during development.

GitHub Checks integration

Each scan creates a GitHub Checks run named CodeSentinel Security Scan. You can require this check to pass before merging by adding it to your branch protection rules.

Previous

Keyboard Shortcuts

Next

Installation