Glossary

The automatic PR-scan path. Governed by Settings: repo allowlist, own-PR-only, push debounce, and per-PR ignores all live here.

One of the five things a scan does: code review, security analysis, runtime verification, browser interaction testing, evidence packaging. Coverage and skip reasons are reported per capability.

The view (and endpoint) that explains what changed between a scan run and the previous successful run on the same target. Reports baseline counts and delta movement.

The configured window during which synchronize events on the same PR are coalesced into a single scan. Range 1–120 minutes, off by default.

A scan that completed with reduced coverage. Findings still persist, but trust drops and the run is annotated with the typed gap reasons.

Each finding’s movement relative to the previous successful scan on the same target: new, recurring, regressed, fixed, or suppressed. See Findings & evidence.

Whether the finding has been confirmed against the running application. One of verified (confirmed runtime-side), unverified (reported by analysis only), and not_tested(runtime testing didn’t reach this surface).

A persisted issue discovered by a scanner or runtime agent. Findings carry severity, category, confidence, exploitability, source phase, primary file, line range, fingerprint, evidence, and remediation guidance.

A stable identifier derived from a finding’s rule, location, and signature. Fingerprints power delta computation across scans and are what suppressions match against.

Same as snapshot. The emphasis on frozen is that, once the run starts, no later configuration change can mutate it.

A downloadable package per finding: identity, location, replay data, proof-of-concept variants, and expected behavior. Useful for handing off to engineering or filing an issue.

A precondition check that answers can I rerun?. Verifies GitHub access, environment-variable signals, supported app type, and replay prerequisites. The rerun affordance is hidden when readiness fails.

Reproducible evidence captured for a runtime or interaction finding — request payloads, response bodies, navigation traces. Linked from the finding detail page and downloadable via the replay endpoint.

The user-facing product object for a given repo and target — usually a branch or a pull request. A review accumulates one or more scan runs over its lifetime and is what you open, rerun, delete, or archive.

A capability that exercises the running application inside the sandbox — verification probes, interaction testing, exploit confirmation. Specific agents are listed in the Security dashboard and may be tier-gated.

The isolated execution environment Infiniview spins up to build, serve, and probe the repository. Sandboxes are ephemeral and torn down at the end of each scan run.

A single execution of the scan pipeline against a review. Each run carries its own frozen configuration snapshot, status, timeline, findings, trust score, and (when applicable) CSV and compare endpoints. Use scan only as shorthand when the sentence is clearly about this execution, not the review container.

A specific named tool that produces findings — for example, Semgrep, Gitleaks, Trivy, OSV Scanner. Each scanner is enabled by default or opt-in; see Scanners & agents.

One of critical, high, medium, low, info. critical and high block PR merges; the rest are reported but non-blocking. info is excluded from the unique-vulnerabilities counter on the overview.

The merged, frozen configuration applied to a scan run at trigger time. Combines your dashboard defaults with the repo’s .infiniview.yml; repo config wins for overlapping fields. Mid-run edits never affect the active scan.

The pipeline phase that produced a finding — static analysis, dependency audit, secrets, IaC, code review, runtime verification, or interaction testing.

A fingerprint-scoped rule that hides matching findings. repo scope hides for that repository; userscope applies across the user’s matching findings. Deleting a suppression restores presentation without touching history.

A 0–100 score (and label: strong, moderate, limited, degraded) reflecting how reliable the scan was. Carries the verification mix, skipped scanners, replay readiness, and coverage gaps. See Trust & readiness.

A typed reason a scan’s coverage is reduced. Today: scanner_skipped, runtime_not_tested, replay_unavailable, and degraded. Each gap names the affected tool or capability.

A PR comment beginning with @infiniview. Acted on only when posted by an owner, member, or collaborator with write, maintain, or admin permission.

A repository the sandbox can’t build and serve as a browser web app. The PR check completes neutrally instead of returning a misleading pass.