INFINIVIEW/
DocsOperateScan workflow

Scan workflow

From trigger to proof bundle. Every scan runs through the same five phases, regardless of whether it was launched from the dashboard or a pull request.

Lifecycle

Each scan moves through five phases. The dashboard timeline labels each one, so you can read durations and coverage at a glance.

[01]
Trigger

Start from a PR, comment, rerun, or dashboard scan.

Manual dashboard scans create reviews from a selected repo and branch. GitHub scans start from pull request webhooks or trusted bot commands. Review detail can trigger reruns when readiness says the repo is runnable.

[02]
Snapshot

Scan settings are frozen at launch.

Dashboard settings and optional .infiniview.yml values are merged into a snapshot. Changing settings mid-run affects later scans, not the active run.

[03]
Sandbox

The repo is cloned, built, and tested in isolation.

Repo secrets are decrypted server-side only for sandbox injection. Scanners and runtime agents run with coverage tracked for skipped tools, missing credentials, and degraded execution.

[04]
Proof

Findings become evidence, not warning noise.

Infiniview persists severity, category, confidence, exploitability, fingerprints, locations, evidence, artifacts, delta state, and suppression state.

[05]
Decide

Compare, trust, readiness, and exports guide follow-up.

Compare answers what changed. Trust explains run quality. Readiness identifies rerun blockers. CSV exports and proof bundles provide handoff artifacts.

Snapshot rules

At trigger time Infiniview merges your dashboard settings with the repo’s .infiniview.yml, then freezes the merged result for the run. Repo config wins for overlapping fields. Once the snapshot is taken:

  • Editing dashboard settings affects future scans, not the active run.
  • Editing .infiniview.yml on the branch is reflected on the next scan triggered from that branch.
  • Repo secrets are read at trigger time and decrypted server-side only when injected into the sandbox.

Sandbox execution

The repo is cloned, built, and tested inside an isolated sandbox. Static, dependency, secret, and IaC scanners run alongside runtime agents (when enabled). Coverage is tracked per-tool — skipped scanners, missing credentials, and degraded execution all show up in the run’s trust score.

Unsupported apps
If Infiniview can’t run the repository as a supported browser web app, the PR check completes neutrally with an Unsupported App status instead of pretending coverage exists. The GitHub automation page covers the rules.

Rerun eligibility

Rerun is offered from review detail when readiness says the repo is runnable. Readiness checks GitHub access, missing env-var signals, scanner gaps, and replay prerequisites — see Trust & readiness.

PreviousProduct surfacesNext GitHub automation
Edit on GitHub