Start a deep scan on the default branch
Run a deep scan on the branch your team trusts as the
baseline (usually
main). Keep the first run simple: one repository, one
branch. You can include several repositories later for a multi-repo scan.Review results
Open the Vulnerabilities tab to triage findings, the Endpoints tab for
the attack surface, and the Wiki tab for the codebase overview. See
Findings & remediation.
Recommended rollout
Pick a repository with clear ownership
The first scan is easier to act on when the team knows who validates and fixes
issues.
Expand after the first clean loop
Add more repositories, turn on PR checks, and
schedule scans.