Operator FAQ
Short answers for real scan decisions.
What does verified mean?
The issue was confirmed through runtime or interaction testing. It’s stronger than an unverified static hit, but you should still inspect the evidence and trust context before prioritizing work. See Findings & evidence.
What is a degraded scan?
A scan that completed with limited coverage. Findings still persist, but trust drops and the run should be reviewed for skipped scanners, coverage gaps, missing secrets, or sandbox limitations. See Trust & readiness.
How do suppressions work?
Suppressions are fingerprint-based. Repo scope hides the finding only for that repository. User scope applies across that user’s matching findings. Deleting the suppression restores the finding presentation without deleting history.
Where should I configure secrets?
Use Settings > Environment Secrets or persist new env vars from the scan launcher. Values are encrypted at rest and injected into the sandbox at scan time.
Can I use repo config instead of dashboard config?
Yes. Add .infiniview.yml at the repo root for security scanner, threshold, exclusion, runtime-agent, timeout, plan, and evidence-detail overrides. Repo config wins for overlapping fields. See Configuration.
Why didn't Infiniview scan my pull request?
Most common reasons: the PR is still in draft, the repo isn’t in the auto-review allowlist, own-PR-only is enabled and the PR was opened by another author, the PR was previously ignored with @infiniview ignore, or the synchronize event landed inside the push debounce window.
Who can run @infiniview commands?
Owners, members, collaborators, or users with write-or-better permission on the repository. Comments from anyone else are ignored.