Scan categories
Secret scan
Detects hardcoded API keys, tokens, passwords, certificates, and other credentials accidentally committed to the repository — before they are exploited.
SCA
Software Composition Analysis identifies vulnerable, outdated, or licence-restricted third-party packages across your dependency tree.
SAST
Static Application Security Testing finds security flaws in your source code — injection vulnerabilities, insecure configurations, and OWASP Top 10 issues — without running the application.
IaC
Infrastructure-as-Code scanning audits Terraform, CloudFormation, Kubernetes manifests, and Dockerfile configurations for misconfigurations and compliance violations.
Code complexity
Identifies overly complex functions and modules using cyclomatic complexity and cognitive complexity metrics. High-complexity code is harder to maintain and more likely to harbour bugs.
Code duplicates
Detects repeated code blocks across the codebase that should be consolidated into shared utilities, reducing maintenance overhead.
Scan triggers
Scans can be initiated in two ways:Scheduled scans
Configure a recurring schedule from the Garth dashboard. Garth will automatically scan your repositories at the defined cadence — daily, weekly, or at a custom interval — and surface any new findings.
Manual scans
Trigger a scan at any time directly from the Garth dashboard. Useful when you want to check the current state of a repository outside the normal schedule, such as before a release.
Scan results
Results appear in the Garth dashboard, organised by category and severity. Each finding includes:- Severity — Critical, High, Medium, or Low
- File path and line number — pinpointing exactly where the issue is
- Rule or CVE ID — for traceability and reporting
- Remediation guidance — concrete steps to resolve the finding