FAQ

Frequently asked questions about PrismSec documentation and usage.

Common questions about using PrismSec, from data privacy to false positives and self-hosting.

PrismSec analyzes code in ephemeral, isolated containers that are destroyed immediately after each scan. Code is transmitted over encrypted connections (TLS) and is never stored persistently on our servers.

For enterprise customers, PrismSec supports on-premise deployment and VPC hosting, allowing you to run scans entirely within your own infrastructure.

Is my code used to train AI models?

No. PrismSec does not use customer code to train AI models. Your code is analyzed only for security vulnerabilities and is never shared with third parties or used for any purpose other than security scanning.

What data does PrismSec retain?

PrismSec retains:

Findings metadata — Vulnerability descriptions, severity, file paths, line numbers
Scan history — Timestamps, scan status, risk scores
Audit logs — Who ignored findings, when, and why

PrismSec does not retain:

Full source code
Secrets (they are redacted in findings)
Proprietary algorithms or business logic

All retained data is encrypted at rest and in transit.

Can I self-host PrismSec?

Yes. Enterprise customers can deploy PrismSec in their own infrastructure:

On-premise — Deploy on your own servers
VPC — Run in your AWS, GCP, or Azure VPC
Air-gapped environments — Available for high-security environments

Scanning and Performance

How long do scans take?

Most scans complete in 30–60 seconds. Large pull requests with many changed files may take 2–3 minutes.

PrismSec only scans changed files in pull requests, not the entire repository, which keeps scans fast even in large codebases.

Do scans slow down my CI/CD pipeline?

No. PrismSec scans run in parallel with your existing CI jobs (tests, linting, builds), so they don't block other pipeline steps.

If you configure PrismSec to block merges on security findings, the pipeline will fail if vulnerabilities are detected — but this is intentional, preventing insecure code from reaching production.

Can PrismSec scan monorepos?

Yes. PrismSec supports monorepos with multiple projects in a single repository. You can:

Scan the entire monorepo as one unit
Configure path exclusions to skip specific subprojects
Apply different severity thresholds to different directories

Example configuration for a monorepo:

# prismsec.yml
exclude:
  paths:
    - "legacy-app/**"  # Exclude legacy code
    - "tools/**"       # Exclude build tools
 
branches:
  main:
    severity_threshold: low  # Strict for shared main branch

How often should I scan?

PrismSec scans automatically on every pull request. For additional coverage:

Daily scans — Catch newly disclosed CVEs in dependencies
Pre-deployment scans — Run before releasing to production
Scheduled audits — Weekly or monthly deep scans for compliance

You can configure scheduled scans in the PrismSec dashboard.

Findings and False Positives

How does PrismSec handle false positives?

PrismSec uses context-aware analysis to reduce false positives:

Data flow analysis — Traces how data moves through your application
Reachability analysis — Checks if vulnerable code is actually called
Framework-specific rules — Understands security features built into frameworks (e.g., Django's CSRF protection)

If you encounter a false positive, you can:

Mark it as ignored in the dashboard (with justification)
Report it to PrismSec — We continuously improve detection rules based on feedback

See Triage & Ignoring for details.

What if I disagree with a severity rating?

Severity is determined by the potential impact and exploitability of a vulnerability. However, context matters — a vulnerability in an internal admin panel may be less critical than the same issue in a public API.

If you believe a severity is incorrect:

Provide context — Explain why the severity doesn't match your risk profile
Ignore the finding — With a documented justification
Contact support — We can review and adjust severity for specific use cases

How does auto-fix decide what to fix?

Auto-fix is enabled for vulnerabilities with:

Clear, safe fixes — No ambiguity about the correct remediation
No architectural changes — The fix doesn't require major refactoring
High confidence — The fix won't break functionality

Examples of auto-fixable issues:

SQL injection → Use parameterized queries
Hardcoded secrets → Move to environment variables
Dependency CVE → Upgrade to a safe version

Examples of non-auto-fixable issues:

Authentication bypass → Requires business logic understanding
Insecure architecture → Requires redesign
Complex deserialization flaws → Requires manual review

See Auto-fix PRs for details.

Language and Framework Support

Is my language supported?

PrismSec supports:

JavaScript / TypeScript (Node.js, React, Vue, Angular)
Python (Django, Flask, FastAPI)
Go (standard library, popular frameworks)
Java (Spring Boot, Jakarta EE)
PHP (Laravel, Symfony, WordPress)

See Supported Languages for a full matrix.

If your language isn't listed, contact us at hello@prism-sec.com to request support.

Does PrismSec support microservices?

Yes. PrismSec scans each repository independently, making it ideal for microservices architectures. You can:

Connect multiple repositories to a single PrismSec account
Apply different scan configurations to different services
Track risk scores per service in the dashboard

What about serverless / Lambda functions?

Yes. PrismSec scans serverless functions written in supported languages (JavaScript, Python, Go, Java). It detects:

SAST vulnerabilities — Code-level flaws in function handlers
Secrets — Hardcoded credentials in environment variables or code
Dependencies — CVEs in dependencies bundled with functions
IaC misconfigurations — Overly permissive IAM roles, public API Gateway endpoints

Integrations and Deployment

Can I use PrismSec without a GitHub account?

Yes. PrismSec integrates with:

GitHub
GitLab
Bitbucket

You can also run PrismSec via the CLI in your CI/CD pipeline, independent of your Git provider.

Can I run PrismSec locally?

Yes. The PrismSec CLI can run scans on your local machine:

npx prismsec scan

This is useful for:

Pre-commit checks
Local development workflows
CI/CD pipelines

Does PrismSec support private repositories?

Yes. PrismSec supports both public and private repositories. We request only the minimum permissions required to scan code and post findings.

Pricing and Licensing

Is there a free tier?

Yes. PrismSec offers a free tier for open-source projects and small teams:

Up to 5 repositories
Unlimited scans
All security features (SAST, Secrets, SCA, IaC)
Community support

For larger teams or enterprise features (self-hosting, advanced compliance, SLA), contact us at sales@prism-sec.com.

Repository connection — Ensure the repository is connected in the PrismSec dashboard
Webhook delivery — Check your Git provider's webhook settings for delivery failures
Scan status — View the scan log in the dashboard to see if errors occurred

If issues persist, contact support at hello@prism-sec.com.

Why is my CI/CD pipeline failing after adding PrismSec?

PrismSec fails the pipeline when it detects vulnerabilities above your configured severity threshold. To resolve:

Review findings — Check the PrismSec dashboard or PR comments
Fix vulnerabilities — Remediate the issues (or merge auto-fix PRs)
Adjust threshold — If needed, change severity_threshold in prismsec.yml

See CI/CD Setup for details.

How do I contact support?

Email: hello@prism-sec.com
Documentation: prism-sec.com/docs
Community: Join our Slack community (link in the dashboard)

Enterprise customers have access to dedicated support with SLA guarantees.

Next Steps

Get started: Quickstart
Connect a repository: Connect a Repository
Explore capabilities: SAST, Secret Detection, SCA, IaC

FAQ

Data Privacy and Security

Where is my code analyzed?