start here
FAQ
The questions a careful evaluator asks first.
- The scan timed out / didn't finish on a large repo. Why?
- A scan runs inside one serverless request with a fixed budget — by default 1,000 files and 55 seconds. A repo bigger than that is scanned up to the cap and the result is flagged truncated, so you know it wasn't exhaustive. For a huge monorepo, narrow the scan to a subfolder. Full numbers and the rationale are on Scan limits.
- I hit a GitHub rate limit.
- Anonymous scans share GitHub's API quota, so a burst of public scans can hit a limit; the response includes a
Retry-Afteryou can wait out. Signed-in scans run against your own GitHub quota, which is far higher — if you're evaluating on a popular repo and keep getting limited, signing in is the fix. TriageRook also surfaces a rate-limited history pass as degraded rather than pretending the history is clean. - Can I scan a private repository?
- No. TriageRook only scans public repositories, and the authenticated endpoint refuses a private repo at the boundary — before any file is fetched. That refusal is what makes the “we don't read private code” promise true in the code, not just in copy. See Security & data handling.
- A finding is a false positive. What do I do?
- Suppress it. You can silence a single finding, a rule on a path, or a whole rule for the repo — either from the findings view (synced to your account) or by committing a
.repoguardignorefile. The full syntax, with tested examples, is on Suppressions. Findings in test/fixture paths are already de-prioritized automatically. - Why didn't it find a vulnerability I know is there?
- A few honest reasons: the file was past the per-run file cap (the result would be marked truncated); the language isn't covered for that detector (deep code analysis is primarily JS/TS, with regex for Python); the issue needs cross-file dataflow that a fast first-pass SAST doesn't trace; or there's no published advisory/pattern for it yet. What each detector does and does not catch is spelled out on Detectors, and the caps are on Scan limits.
- Do you store my source code?
- No. Code is fetched per scan, analyzed in memory, and discarded. Anonymous scans persist nothing; signed-in scans save findings (paths, line numbers, masked previews) so you have history — never full file contents, never raw secret values. Details on Security & data handling.
- Can I get findings into GitHub Code Scanning?
- Yes — every scan exports SARIF 2.1.0 for upload to GitHub Code Scanning, and public repos can wire it into CI with no token. See SARIF export and the Quickstart.
Question not answered here? Ask on GitHub.