Documentation

PR Scanning

How CodeSentinel scans pull requests and reports findings.

Trigger events

A scan is triggered on the following GitHub webhook events:

  • pull_request.opened — a new PR is created.

  • pull_request.synchronize — new commits are pushed to an open PR.

  • pull_request.reopened — a closed PR is reopened.

Scan scope

Only the lines present in the unified diff are scanned. The scan engine receives file name, changed line range, and the added/modified content — it never receives deleted lines or unchanged context.

Result format

Scan results are posted in three ways:

  • GitHub Checks run — a summary with total issue count by severity, scan duration, and a link to the full report.

  • Inline PR comments — a comment on the exact line that is vulnerable, including the rule ID, severity badge, explanation, and a suggested fix in a code block.

  • CodeSentinel dashboard — full scan history, per-file breakdowns, and team-level trend reports (Team/Enterprise plans).

Scan duration

Average scan time is 2.3 seconds for a typical PR (< 500 changed lines). Large PRs with thousands of lines may take up to 15 seconds. Results always arrive before a human reviewer opens the PR.

Speed up scans

Exclude auto-generated files (migrations, lockfiles, generated clients) using codesentinel.json ignore patterns. This reduces noise and speeds up scans.

Previous

Installation

Next

Merge Policies