Scan Configuration
This guide explains how to enable or disable Codity's scan pipelines — security, license, and code quality, at both organization and repository levels, and how these settings interact.
Overview
Codity runs multiple scan pipelines on every pull request or merge request. Each pipeline can be toggled independently through a hierarchical configuration system:
- Organization-level settings: Set the default for all repositories in an organization
- Repository-level overrides: Override the organization default for specific repositories
- Inheritance: Repositories inherit the organization default unless they set their own value
Scan Pipelines
Four independent toggles control what runs on each PR/MR:
| Toggle | What it controls | Default |
|---|---|---|
| Security scans | Vulnerability detection and dependency (SCA) scanning | ON |
| License scans | License compliance and copyleft risk analysis | ON |
| Code quality scans | Code quality analysis and quality score report | ON |
| Concise mode | Output verbosity — see Concise Mode | OFF |
Each toggle is independent: disabling license scans does not affect security scans, and vice versa.
Security Scans
Controls both code-level security vulnerability scanning and dependency (SCA) scanning. When disabled:
- No security vulnerability inline comments will be posted
- Dependency vulnerability reports from CI audit logs are skipped
- The security scan pipeline step is not executed
For details on what security scanning covers, see Security Scanning.
License Scans
Controls license compliance analysis of project dependencies. When disabled:
- No license risk reports are posted
- Copyleft and license compatibility checks are skipped
- The license pipeline step is not executed
Code Quality Scans
Controls the code quality analysis pipeline that produces a quality score and quality findings report. When disabled:
- No quality score report is posted
- Code quality findings are skipped
- The code quality pipeline step is not executed
Organization-Level Configuration
Organization-level settings define the default behavior for every repository in your organization.
Configuring Scan Toggles at the Organization Level
- Navigate to Settings in the Codity dashboard
- Scroll to the Scan configuration section
- Toggle each scan pipeline on or off:
- Security scans
- License scans
- Code quality scans
- Concise mode
- Changes save automatically
When a scan is enabled at the organization level:
- All repositories in the organization run that scan by default
- New repositories added to the organization will inherit the setting
- Individual repositories can override this setting
When a scan is disabled at the organization level:
- All repositories in the organization skip that scan by default
- New repositories will also skip the scan
- Individual repositories can override to re-enable it
Repository-Level Configuration
Repository-level settings let you override the organization default for specific repositories.
Configuring Scan Toggles at the Repository Level
- Navigate to Settings in the Codity dashboard
- Scroll to the Scan configuration section
- Expand Per-repository overrides
- Find the repository you want to configure (use the search box if needed)
- Click a cell in the scan toggle column to cycle through its state:
- Inherit — follow the organization default (shown as a dash)
- On — force this scan on for this repository
- Off — force this scan off for this repository
- Changes save automatically
The header shows how many repositories have custom overrides, and a "Show customized only" filter is available to focus on repositories that differ from the organization default.
Tri-State Behavior
Each repository-level toggle has three states:
- Inherit (default): The repository uses the organization-level setting. If the organization default changes, this repository follows.
- On: The scan always runs for this repository, regardless of the organization setting.
- Off: The scan is always skipped for this repository, regardless of the organization setting.
Setting a repository override back to Inherit clears it and re-inherits the organization value.
Settings Precedence
Codity resolves each scan toggle through a simple hierarchy on every PR/MR:
- Repository override — used if set to On or Off
- Organization default — used if the repository is set to Inherit
- System default — used only if no setting exists (Security, License, Code Quality: ON; Concise mode: OFF)
Precedence Examples
| Organization setting | Repository override | Actual behavior |
|---|---|---|
| Security: ON | Inherit | Security scan runs |
| Security: OFF | Inherit | Security scan is skipped |
| Security: OFF | On | Security scan runs (override) |
| Security: ON | Off | Security scan is skipped (override) |
Interaction with Auto-Review Controls
Scan toggles determine whether scan pipelines run when Codity reviews a PR. They do not control whether a PR is reviewed at all. To disable review for specific PRs or repositories, see Auto Review Configuration.
If auto-review is disabled for a PR (for example, via the [codity:disabled] PR title tag or codity-disabled label), no scans run for that PR because the entire review pipeline is skipped.
Related
- Concise Mode — control output verbosity of scan results
- Auto Review Configuration — enable or disable reviews entirely
- Security Scanning — what security scans detect