Skip to main content
Early access: get Pro free for 3 months →
DocsContact
Getting Started

First Scan

A walkthrough of scanning a project from scratch — what each part of the results view means, how to drill into a finding, and how auto-fix works.

1. Select a folder to scan

Open HZSec and click New Scan in the left sidebar. Use the folder picker to choose your project root — this can be a repo, a subdirectory, or a single module. HZSec respects .gitignore by default, so node_modules, build output, and dependency folders are automatically excluded.

Tip

Scanning a large monorepo? Target a specific package directory first to get results faster. You can run additional scans against other paths and HZSec keeps each in your history separately.

2. Choose scan modes

HZSec runs all six detection modes by default. You can toggle individual modes in the scan settings panel before starting:

Secrets & Credentials
Insecure Configuration
Vulnerable Code Patterns
Dependency CVEs
Web Exposure
System Hardening

For day-to-day pre-commit use, consider Quick Scan (changed files only) or running a targeted mode. See Scan Modes for details.

3. Reading your results

When the scan completes, you see a summary dashboard with your security score and a findings list grouped by severity.

Security score

The score is a 0–100 number based on the severity and count of open findings relative to the size of your codebase. A higher score means fewer open issues. HZSec tracks this across scans so you can see whether security is trending up or down over time.

Severity levels

CRITICAL

Exploitable now with known techniques. Fix before the next commit.

HIGH

Significant risk. Should be resolved within days.

MEDIUM

Real issue but harder to exploit directly. Address in the current sprint.

LOW

Best-practice gap. No immediate threat but worth cleaning up.

Drilling into a finding

Click any finding in the list to open the detail panel. Each finding includes: the file path and line number, a plain-language explanation of why this is risky, a reference to the relevant CWE or CVE, the compliance frameworks it affects (OWASP Top 10, CIS, SOC 2), and a recommended remediation. If auto-fix is available, a button appears in the panel.

4. Using auto-fix

For deterministic, low-risk findings — exposed API key format, DEBUG=True, insecure http:// endpoint, weak TLS version string — HZSec can apply the fix directly to your file.

  1. Click Apply Fix in the finding detail panel.
  2. Review the diff. HZSec shows exactly what will change before touching any file.
  3. Click Confirm to write the change, or Dismiss to leave the file untouched.
  4. The finding is marked as resolved in the audit log with a timestamp.
Important

Auto-fix only applies to findings where the correct change is unambiguous. Complex issues — logic bugs, authentication flaws, architectural misconfigurations — are surfaced with an explanation and remediation guidance, but no auto-fix.

5. Exporting results

The audit log captures every scan, finding, and applied fix. To export:

  • Go to Reports in the sidebar.
  • Select a scan or a date range.
  • Click Export Report — available as structured JSON or a printable PDF.

Export is available through the desktop app only — the CLI does not currently expose a report command. JSON and PDF are both available from the Reports view.

← InstallationScan Modes →