Skip to main content

How SecAlly Works

SecAlly integrates with GitHub as an app and operates in two primary modes:
  1. PR scans when you open a pull request
  2. Full repository scans (requested via a GitHub issue)
Both scan types analyze source code and produce structured security findings mapped to:
  • OWASP Mobile Top 10
  • CWE identifiers
  • CVSS severity scores

Where Results Show Up

SecAlly reports results back to GitHub:
  • A GitHub check run on the relevant commit
  • PR reviews with inline comments for PR scans
  • Issue comments for full repository scans

Core Concepts

Organizations & Repository Access

You install the SecAlly GitHub App on a GitHub organization. That installation controls which repositories SecAlly can access.

Monitored Repositories

In SecAlly, you explicitly mark repositories as Monitored. Scans are only queued for monitored repositories.

Scan Requests

A scan request represents one execution of the scanner:
  • PR scan: compares a PR base and head ref
  • Full scan: scans the repository default branch

Findings

Findings are individual security issues detected during a scan sorted by CVSS score. Each finding includes:
  • CVSS severity
  • Optional OWASP Mobile Top 10 and CWE mappings
  • Evidence snippets and remediation guidance