Skip to main contentHow SecAlly Works
SecAlly integrates with GitHub as an app and operates in two primary modes:
- PR scans when you open a pull request
- Full repository scans (requested via a GitHub issue)
Both scan types analyze source code and produce structured security findings mapped to:
- OWASP Mobile Top 10
- CWE identifiers
- CVSS severity scores
Where Results Show Up
SecAlly reports results back to GitHub:
- A GitHub check run on the relevant commit
- PR reviews with inline comments for PR scans
- Issue comments for full repository scans
Core Concepts
Organizations & Repository Access
You install the SecAlly GitHub App on a GitHub organization. That installation controls which repositories SecAlly can access.
Monitored Repositories
In SecAlly, you explicitly mark repositories as Monitored. Scans are only queued for monitored repositories.
Scan Requests
A scan request represents one execution of the scanner:
- PR scan: compares a PR base and head ref
- Full scan: scans the repository default branch
Findings
Findings are individual security issues detected during a scan sorted by CVSS score. Each finding includes:
- CVSS severity
- Optional OWASP Mobile Top 10 and CWE mappings
- Evidence snippets and remediation guidance
