How Scanning Works

Understand the context-aware analysis pipeline that powers PrismSec.

PrismSec uses an agentic, context-aware analysis pipeline that goes beyond traditional pattern matching. Instead of applying rigid rules, PrismSec understands your code's structure, dependencies, and data flow to detect real vulnerabilities and reduce false positives.

The PR-Triggered Scan Lifecycle

Every time a pull request is opened or updated, PrismSec automatically triggers a scan:

  1. Event Detection — PrismSec receives a webhook from GitHub, GitLab, or Bitbucket when a PR is opened or updated
  2. Diff Analysis — Only changed files are analyzed, not the entire repository (for speed and efficiency)
  3. Context Gathering — PrismSec loads dependency manifests, configuration files, and related code to understand context
  4. Multi-Pillar Scan — Four parallel analyses run simultaneously:
    • SAST — Code-level vulnerability detection with data-flow analysis
    • Secret Detection — Credential and API key exposure scanning
    • Dependencies (SCA) — Known CVE detection in third-party libraries
    • IaC & Misconfiguration — Infrastructure and cloud config security checks
  5. Risk Scoring — Each finding is assigned a severity (Critical/High/Medium/Low) and contributes to an overall risk score
  6. Reporting — Findings appear as inline PR comments with descriptions, evidence, and recommendations
  7. Remediation — For auto-fixable issues, PrismSec opens a separate fix PR with secure code changes

PrismSec scans run in under 60 seconds for most pull requests, even in large repositories. Only the diff is analyzed, not the full codebase.

Context-Aware Analysis

Traditional security tools rely on pattern matching: they look for known-bad code patterns and flag them. PrismSec goes further by understanding context:

Data Flow and Taint Propagation

PrismSec traces how data moves through your application:

  • Input sources — User input, API requests, file uploads, environment variables
  • Propagation paths — Function calls, variable assignments, object properties
  • Dangerous sinks — Database queries, file system operations, shell commands, HTML rendering

If untrusted data flows from a source to a sink without validation or sanitization, PrismSec flags it as a vulnerability.

Example:

# Vulnerable: user input flows directly to SQL query
def get_user(user_id):
    query = f"SELECT * FROM users WHERE id = {user_id}"
    return db.execute(query)

PrismSec detects that user_id (untrusted input) flows directly into db.execute() (SQL sink) without sanitization, flagging it as SQL Injection.

Control Flow and Reachability

PrismSec analyzes which code paths are reachable and under what conditions:

  • Dead code — If a vulnerability exists in unreachable code, severity is downgraded
  • Conditional logic — If a dangerous operation is protected by authentication or validation checks, PrismSec adjusts the risk score accordingly

Dependency Graph and Transitive CVEs

For dependency vulnerabilities, PrismSec builds a full dependency tree:

  • Identifies direct and transitive (nested) dependencies
  • Checks if vulnerable functions are actually called in your code (reachability analysis)
  • Recommends the minimum safe version to upgrade to without breaking changes

CI/CD Integration

In addition to PR scans, PrismSec can run in your CI/CD pipeline:

  • On every commit to long-lived branches (main, develop, staging)
  • As a required status check — block merges if critical vulnerabilities are detected
  • On scheduled intervals — daily or weekly scans to catch newly disclosed CVEs

See CI/CD Setup for integration details.

What Happens After a Scan

Findings Appear in the PR

Each finding is posted as an inline comment on the exact line of code where the issue was detected. Findings include:

  • Title and severity — e.g., "Critical: SQL Injection"
  • Description — What the issue is and why it's dangerous
  • Evidence — The data flow or pattern that triggered the detection
  • Recommendation — How to fix it securely

Status Checks

PrismSec posts a commit status (Pass/Fail) based on your configured severity threshold:

  • Pass — No findings above the threshold (e.g., no Critical or High issues)
  • Fail — At least one finding above the threshold

You can configure PrismSec to block merges if the status check fails.

Auto-Fix PRs

For vulnerabilities with a clear, safe fix, PrismSec opens a fix PR automatically:

  • The PR includes a diff showing the secure code changes
  • A description explains what was fixed and why
  • Once merged, the original PR is re-scanned and the finding is marked as resolved

See Auto-fix PRs for details.

Scan Scope and Performance

To keep scans fast, PrismSec optimizes intelligently:

  • Diff-only analysis — Only changed files are scanned in PRs
  • Incremental dependency scanning — Only new or updated dependencies are checked for CVEs
  • Parallel execution — All four security pillars run concurrently
  • Smart caching — Dependency metadata and file hashes are cached between scans

Most scans complete in under 60 seconds. Large monorepos or PRs with many changed files may take longer, but rarely exceed 2-3 minutes.

How PrismSec Differs from Traditional Tools

| Traditional Security Tools | PrismSec | |----------------------------|----------| | Pattern matching (regex-based) | Context-aware data flow analysis | | Manual triage required | Automated risk scoring and prioritization | | Findings reported in dashboards | Findings posted inline in PRs | | Developers fix vulnerabilities manually | Auto-fix PRs for common issues | | Scheduled scans (weekly/monthly) | Real-time scans on every PR |

PrismSec shifts security left — catching vulnerabilities before they reach production, without slowing down development.

Next Steps