Prerequisites
Prerequisites
To run a scan:
- Your organization must have access to the repository you want to scan.
- You need to be authorized to use Devin sessions.
- You need the Use code scans permission.
- To configure an Auto Scan schedule, you also need Manage code scans and permission to manage automations.
Run your first scan
- Open Security in the left sidebar and click Start scan.
- Under Single repo, choose a repository to scan.
- Make sure Interactive mode is enabled.
- Click Run Scan.
- When the proposed threat model is ready, review it and either click Looks good, start scanning or provide feedback.
- As findings appear, review the evidence and act on the findings that need attention.
Review and act on findings
Open a scan to see its findings. The page displays a list of findings on the left, grouped by severity, and the selected finding’s details on the right. The status tabs show a live count:- Open — needs attention.
- Reviewed — has been reviewed and no longer requires action.
- Dismissed — was determined as a false positive or duplicate.
What’s in a finding
A finding includes:- Severity, status, exploitability, confidence, and category.
- The affected file path and code snippets.
- A description of the issue and a remediation recommendation.
- A runtime validation result, supporting evidence, and validation artifacts.
- Associated pull requests and their open, merged, or closed state.
- Code owners and notes, when available.
Act on a finding
- Assign to Devin
- Feedback
- Adjust
Starts a Devin session to remediate the issue and open a pull request. The session and resulting pull request are tracked on the finding.
Scan profiles
A scan profile controls the scan’s scope and provides guidance for each stage of the scan. Every scan can use one profile. To evaluate a repository against multiple attacker personas or threat categories, run separate scans with different profiles. Manage profiles from the Profiles tab on the Security page.Create a profile
You can create a profile in two ways:- Generate with Devin — describe the application, threats, scope, exclusions, and severity standards in natural language. Devin drafts the profile for you.
- Create manually — fill in each profile input yourself.
Basic information
- Profile name — name the application surface or threat category, rather than the team running the scan. Example:
Multi-tenant API authorization. - Description — summarize the profile’s scope and security objective. Example:
Find authentication, authorization, and tenant-isolation vulnerabilities in the public API.
Threat model
Describe the attacker, sensitive assets, trust boundaries, important entry points, and anything explicitly out of scope. This guidance shapes the rules Devin generates before investigation begins.Investigation guidance
Define how Devin should investigate a potential issue and what evidence it should collect. Ask it to account for existing mitigations and to distinguish reachable vulnerabilities from theoretical concerns.Triage guidance
Define how Devin should deduplicate and prioritize findings. Include your severity criteria so results match your organization’s standards.Runtime validation
Enable runtime validation when Devin can safely build and exercise the application. Explain how to start the application, create test data, authenticate, and demonstrate the expected security boundary.Report
Enable reports when you need a summary artifact after the scan. Specify the intended audience and the information the report should emphasize.Remediation guidance
Specify constraints that Devin should follow when you assign a finding for remediation. Include testing expectations, compatibility requirements, and practices to avoid.Advanced inputs
Open Advanced to control file scope and investigation batches:- Include globs — restrict the scan to matching files. For example,
apps/api/**andpackages/auth/**. - Exclude globs — remove irrelevant files from the selected scope. For example,
**/generated/**,**/vendor/**, and**/fixtures/**. - Batch size — control how many files with signals are grouped into each investigation batch. Leave this at its default unless you are deliberately tuning scan behavior. The accepted range is 1–500; the default is 5.
Organization and enterprise profiles
New profiles are organization-scoped. Enterprise admins can later change a profile’s visibility to Enterprise, making it available across the enterprise. Enterprise profiles can only be edited or archived by enterprise admins. Other users with access to Security can view and use them but cannot modify them.Interactive mode
With Interactive mode enabled, Devin builds a proposed threat model and pauses before investigation. The scan page displays the proposed rules and lets you:- Looks good, start scanning — accept the threat model and begin investigation.
- Provide feedback on the threat model — describe what to add, remove, or emphasize, then review the revised model.
Configure runtime validation
Runtime validation runs only when the selected profile has runtime validation enabled and contains validation guidance. Give Devin enough information to build, run, seed, and authenticate the application in its sandbox. If the repository has declarative configuration, Devin can reuse its build and installation setup. Otherwise, add the required setup commands to the profile’s validation guidance.Scale scanning
Scan multiple repositories
Use the All repos tab in the New Scan dialog to queue scans across an organization:- Optionally enter a Repository name filter.
- Optionally select a scan profile.
- Keep Skip already-scanned repos enabled to exclude repositories already scanned with the selected profile.
- Click Preview.
- Review the matching repositories, deselect any you do not want to scan, and confirm.
Auto Scan
Auto Scan periodically scans commits added since the last completed scan. You can configure it:- While starting a single-repository scan by selecting a daily, weekly, monthly, or custom schedule.
- From an existing scan by adding, editing, disabling, or immediately running its schedule.
Scan new commits
Click Scan new commits on a completed scan to investigate commits added since its last scanned commit. Auto Scan uses the same incremental behavior, making subsequent scans less expensive than repeatedly scanning the full repository scope.Manage and monitor scans
Depending on the scan and its profile, the scan header can include:- Reports — download reports generated for the scan.
- Usage — view ACUs consumed, session count, scan duration, and pull request statistics.
- Session — open the main Devin session that performed the scan.
- Export as CSV — export the scan’s findings.
- Archive or Unarchive — hide the scan from or restore it to the default list.
- Scan new commits — start an incremental scan.
Security dashboard
After the organization completes its first scan, the Security page displays an organization-wide dashboard for the last 7, 30, or 90 days:- Pull request statistics — created, merged, open, and closed pull requests, plus merge rate.
- Findings over time — findings grouped by severity across the selected period.
Access and permissions
Security access is controlled through code scan permissions in the role editor:| Permission | What it unlocks | Default roles |
|---|---|---|
| View code scans | View scans, profiles, findings, and associated scan sessions. | Admin |
| Use code scans | Start scans, create organization profiles, submit finding feedback, adjust findings, change finding statuses, and assign findings to Devin. | Admin |
| Manage code scans | Archive or unarchive scans and configure Auto Scan schedules. | Admin |
| Manage account code scans | Promote organization profiles to enterprise scope and edit or archive enterprise profiles. | Enterprise admin |
Compare Security Swarm with another scanner
For a useful comparison, give both scanners the same scope, threat model, severity criteria, and validation expectations. Differences in configuration can otherwise obscure differences in underlying capability. Use profiles to encode the comparison criteria, interactive mode to confirm the generated threat model, and runtime validation to apply the same standard of evidence to reported findings.FAQ
How does Security Swarm reduce false positives?
How does Security Swarm reduce false positives?
Security Swarm investigates potential vulnerabilities in the context of your repository rather than reporting risky patterns in isolation. Devin traces relevant data flows, checks for validation and authorization controls, and evaluates whether the issue has a concrete security impact.Each finding includes a confidence level and supporting evidence. Review that evidence before acting, especially when a finding has not been validated at runtime.
What evidence should I review in a finding?
What evidence should I review in a finding?
Check the affected code, entry point, data flow, existing mitigations, stated impact, confidence, and exploitability. When runtime validation is enabled, also review the validation result and its supporting artifacts.If the evidence overlooks a control or claims an unsupported impact, use Feedback to provide the missing context for future scans.
What does runtime validation add?
What does runtime validation add?
Runtime validation attempts to reproduce a finding by building and exercising the application in an isolated environment. A successful validation provides stronger evidence of exploitability, while an unsuccessful validation can identify assumptions or environment limitations that require further review.Runtime validation is optional and requires enough validation guidance for Devin to build, run, seed, and authenticate the application safely.
How does Security Swarm find vulnerabilities that span multiple files?
How does Security Swarm find vulnerabilities that span multiple files?
Security Swarm analyzes parts of the repository in parallel and combines the results into a repository-wide view. This allows it to identify relationships between components, such as one endpoint exposing an identifier required to exploit another endpoint.Any resulting chained finding should still identify the relevant code paths and explain how the individual conditions combine into a concrete impact.
Why might results vary between scans?
Why might results vary between scans?
Security Swarm uses agentic analysis, so separate scans may not produce identical findings or wording. A focused scope, explicit threat model, clear severity criteria, and specific investigation guidance help keep coverage consistent.Capture those requirements in a reusable scan profile, use interactive mode to review the proposed threat model, and provide feedback when a result misses important context.
Does a completed scan mean the repository has no other vulnerabilities?
Does a completed scan mean the repository has no other vulnerabilities?
No security scanner can guarantee complete coverage. Results depend on the selected scope, profile guidance, available repository context, and whether findings can be validated in the configured environment.Run separate scans for distinct attacker models or threat categories, keep profiles current as the application changes, and use Security Swarm alongside your existing security review and testing practices.

