Security Agent findings are separate from Pull Requests > PR Findings. PR Findings come from security issues raised during pull request review comments, while Agent Findings come from full-codebase scans.
How Security Agent works
Security Agent runs a multi-stage pipeline rather than matching fixed rules against a single file or diff:- Map — CodeRabbit builds a model of the repository so it can reason across files and services, not just within one file.
- Investigate — Agents examine likely vulnerable code paths and trace how data flows through the codebase.
- Verify — A separate verification step reopens the cited code paths and rejects speculative, test-only, dead-code, and unreachable cases before a finding is surfaced.
What Security Agent scans for
Security Agent looks for practical code-level vulnerabilities across the selected repository. Findings can include issues such as injection, authorization bypass, IDOR, broken authentication, CSRF, sensitive data exposure, information disclosure, XSS, SSRF, open redirects, insecure deserialization, CORS issues, security misconfiguration, path traversal, weak cryptography, denial of service, LLM security risks, and other code security problems. LLM and AI application risks include prompt injection, improper output handling, and excessive agency. Each accepted finding is grounded in code evidence. When available, CodeRabbit shows:- Category and severity
- Repository, file path, and line range
- CWE
- Description and recommendation
- Reachability: External, Internal, Unreachable, or Unknown
- Reachability call stack when CodeRabbit can trace a path from an entry point to the risky code
- Inline code context or a permalink to the scanned commit
- Status and fix status
Run a scan
You can start a Security Agent scan from the Security area in CodeRabbit.Open Security
In the CodeRabbit app, go to Security.
Choose Code findings
Select Code findings to run Security Agent. You can select other scan types in the same dialog when you also want dependencies, SBOM, or secrets scans.
Review the estimate
If code-scan credits apply, review the estimated total and per-repository credits before starting. Estimates are based on the effective scan branch and configured code path exclusions.
Scan status and activity
Each scan target moves through pending, running, completed, and failed states. A scan that runs for too long is marked failed with a message telling you it timed out or was interrupted, so you can run it again. The activity log records each run’s target, scan ID, status, duration, repository, who triggered it, and when. Completed runs link to that scan’s historical snapshot.Configure repository scan settings
Repository security settings control which branch Security Agent scans, which code paths it skips, and whether scans run on a schedule.Scan branch
For GitHub repositories, choose the branch CodeRabbit should scan. Provider default follows the repository default branch. Selecting the default branch clears the custom branch setting. If a configured branch is deleted, CodeRabbit warns that future scans will fail until you select another branch or return to the provider default.Path exclusions
Use Path Exclude filters to skip code paths that should not count toward Security Agent scans.- Add one repository-relative path or glob per line.
- You can add up to 100 excluded paths per repository.
- Each excluded path can be up to 512 characters.
- Absolute paths, Windows absolute paths, parent traversal, and control characters are rejected.
- Backslashes are normalized to
/, leading./is removed, and duplicate entries are ignored.
Recurring schedules
Set a recurring full scan schedule per repository when you want CodeRabbit to scan on specific days and times. Schedules use 24-hour time, an IANA timezone, selectable days of the week, and selectable scan types: Code, Dependencies, SBOM, and Secrets. Each scheduled scan target dispatches independently. If one target is already active, CodeRabbit skips that target while other runnable targets can still start.The Security area
The Security section in the CodeRabbit sidebar organizes the Security Suite into these pages:- Overview — a dashboard of your latest security posture.
- Repositories — repository scan settings, including branch, path exclusions, and schedules.
- Agent Findings — code vulnerability findings from Security Agent.
- Dependencies — vulnerable dependency findings.
- SBOM — resolved component inventory and license visibility.
- Secrets Detection — leaked secrets and hardcoded credential findings.
- PR Findings — security issues raised during pull request reviews.
- Activity Log — a record of scan runs.
- Summary cards with finding counts, affected repository count, and critical/high totals for each scan type.
- A Security Trend chart of findings by severity over time, filterable by repository and finding type across 30, 90, 180, and 365 day ranges.
- Latest Findings, the most recent critical and high Agent Findings with severity, category, repository, and file location.
- Highest-Risk Repositories, ranked by critical and high findings.
Work with Agent Findings
The Agent Findings page gives you a triage surface for code findings from completed scans. You can:- Filter by repository, severity, category, and search text
- Open a finding drawer with evidence, recommendation, reachability, code context, and available actions
- Share a direct link to a finding
- Ignore a finding
- Export findings as CSV, JSON, or SARIF
- Start Fix with AI for supported vulnerability findings on GitHub repositories
- View a generated fix pull request when one exists
- Retry failed fixes
Related Security scans
The Security area also includes other committed-codebase scan targets. You can start them from the same run dialog, but each has its own source and findings surface.| Scan target | What it checks |
|---|---|
| Agent Findings | Code vulnerability findings from Security Agent |
| Secrets Detection | Leaked secrets and hardcoded credential findings |
| Dependencies | Known vulnerable dependencies from supported manifests and lockfiles |
| SBOM | Resolved component inventory and license visibility |
Availability and limits
Security Agent is available for GitHub repositories. Repository security settings, scheduled scans, code context links, and Fix with AI pull request creation are also GitHub-only for this feature. New workspaces include a free trial with 10 code scans. Security Agent does not prove that a repository has no vulnerabilities. It reports findings that CodeRabbit can support with code evidence, and it preserves Unknown reachability when CodeRabbit cannot determine a path confidently enough. Code-scan credit estimates are estimates. They account for the effective scan branch and configured code path exclusions, but they should not be treated as a final invoice.What’s next
Repository settings
Configure repository-level settings that control how CodeRabbit analyzes each repository.
Linters and security analysis tools
Browse the static analysis and security tools CodeRabbit can run during pull request reviews.
OSV-Scanner
See how CodeRabbit uses OSV-Scanner for dependency vulnerability analysis in code reviews.