INFINIVIEW/
DocsOperateScan workflow

Scan workflow

From trigger to proof bundle. Every scan run moves through the same pipeline whether it was launched from the dashboard or a pull request.

Triggering a scan run

You have four ways to start a scan run:

  • Dashboard — choose a repo and branch from Reviews to create a review and start its first run.
  • Pull request — open a PR or move it from draft to ready. The auto-review rules in Settings decide whether Infiniview runs.
  • PR comment — post @infiniview review on a PR you’re trusted on.
  • Rerun — from review detail, when readiness allows it.

Pipeline phases

The dashboard timeline labels each phase. Most scans pass through every phase; runtime testing is skipped for repositories that can’t be served as a browser web app.

[01]
Setup

Prepare environment and load configuration.

[02]
Graph build

Parse the codebase and build the security knowledge graph.

[03]
Scanning

Run security scanners against the codebase.

[04]
Analysis

Analyze code changes and correlate findings.

[05]
Review

Review code for quality and security issues.

[06]
Testing

Test application flows and interactions in a sandboxed browser when supported.

[07]
Report

Generate the findings report and recommendations.

Snapshot rules

At trigger time, Infiniview merges your dashboard configuration with the repo’s .infiniview.yml and freezes the merged result onto the run. Repo config wins for overlapping fields. Once the snapshot is taken:

  • Editing dashboard settings affects future scans, not the active run.
  • Editing .infiniview.yml on the branch is reflected on the next scan triggered from that branch.
  • Repo secrets are decrypted server-side only when injected into the sandbox at scan time.
  • Unknown or stale scanner IDs in your snapshot are auto-reconciled against the current scanner manifest.
Adaptive analysis
Scan budgets adapt to the size and complexity of the repo. A small project finishes well under the wall-clock cap; a large monorepo gets the full budget. The maximum is one hour per run.

Live progress

While a scan is in progress, the run detail page streams updates over Server-Sent Events. The stream emits an initial snapshot, incremental events, and a final snapshot when the run reaches a terminal status.

GET /api/scan-runs/{id}/live      # text/event-stream
GET /api/scan-runs/{id}/progress  # one-shot status poll

Run statuses

StatusMeaning
queuedScan run accepted; waiting for a worker.
runningPipeline in progress; live events stream to the UI.
completedPipeline finished with full coverage.
degradedPipeline finished with reduced coverage. Findings still persist; trust drops and the run is annotated.
blockedPipeline stopped before scanning. Most common cause: the repository is not a supported browser web app.
failedPipeline could not complete. The run records the error.
Unsupported apps
If Infiniview can’t run the repository as a supported browser web app, the PR check completes with an Unsupported App status instead of pretending coverage exists. See GitHub automation.

Reruns

Rerun is offered from review detail when readiness says the repo is runnable. Readiness checks GitHub access, missing env-var signals, scanner gaps, and replay prerequisites — see Trust & readiness.

PreviousProduct surfacesNext GitHub automation
Edit on GitHub