Skip to main content
The per-repo pages tell you what’s wrong in one repository. Insights (sidebar → Insights) answers the cross-cutting question: which rules fire the most across the whole organization — usually the fastest way to decide what to fix first, because one bad pattern (an unpinned action, a missing permissions block) tends to repeat across many workflows.

Worst rules

Every rule that fires in any repository’s latest scan gets a row, ranked worst-first (severity, then occurrences, then repos affected). Expand a row to see exactly which repositories are affected, each linking to its repository page for triage or fixing. Two semantics worth knowing:
  • Triage-aware. Findings you’ve dismissed, accepted, or marked false positive are excluded — the ranking reflects the same actionable-risk numbers as the dashboard, per finding triage.
  • Latest scans only. Each repository contributes its most recent scan; repositories never scanned don’t appear.
Everything is computed in your browser from the same row-level-security-scoped reads the rest of the app uses — switching the organization switches the ranking.

Org-wide export

The CSV and JSON buttons download every open finding from every repository’s latest scan, tagged with its repository:
  • CSV — one row per finding with a leading repository column; drops straight into a spreadsheet for reporting.
  • JSON — findings grouped per repository.
SARIF is deliberately per-repo only (on each repository page): a single SARIF run mixing files from different repositories doesn’t upload meaningfully to code scanning.