FAQ

Direct answers about SecOpsium.

This page collects the practical answers teams usually need before connecting a repository, reading a report, or comparing the SaaS workflow with the open-source CLI.

Product

Is SecOpsium safe to use with private repos?

Yes. SecOpsium scans repositories through authorized GitHub access, uses short-lived tokens, and does not store your source code after scanning.

How is SecOpsium different from Snyk or GitHub Advanced Security?

SecOpsium is built for startups and SMEs that need fast security validation without a dedicated security team. It combines secrets, web exposure, configuration checks, severity grading, and a focused fix queue.

What is a security grade?

A security grade is an A-F summary of scan results weighted by severity and risk. It helps teams see whether their project is improving and what to fix first.

What does blast radius mean in security?

Blast radius shows what systems or workflows could be affected by a finding. SecOpsium maps supported service boundaries and avoids guessing when evidence is incomplete.

Can we use SecOpsium without a security team?

Yes. SecOpsium prioritizes findings, explains severity, and turns scan results into a fix queue that product and engineering teams can act on directly.

Features

What is secrets detection?

Secrets detection finds credentials and credential like values, such as API keys, tokens, passwords, and private configuration values, inside repository content.

Does SecOpsium guarantee every secret will be found?

No. SecOpsium helps detect supported secret patterns and prioritize remediation, but teams should still use secure development practices, key rotation, code review, and provider side controls.

What should a team do after finding a secret?

The safest response is to rotate or revoke the exposed credential, remove it from code, review where it was used, and prevent the same pattern from being committed again.

How does SecOpsium connect to GitHub?

SecOpsium connects through an authorized GitHub workflow so users can select repositories they are allowed to scan. It does not require sharing a personal access token with the product.

Can SecOpsium scan private GitHub repositories?

SecOpsium is designed to scan repositories the user has authorized, including private repositories where the connected GitHub access permits it.

Why mention the SecOpsium CLI on the GitHub scanner page?

The CLI gives technical users a transparent way to inspect and run local checks, while the SaaS focuses on hosted workflows, team visibility, recurring scans, reports, and prioritization.

What is repository security?

Repository security protects the source code, configuration, permissions, credentials, and release workflow around a software repository.

What repository risks can SecOpsium help with?

SecOpsium helps with supported risks such as hardcoded secrets, repository posture signals, and findings that can be translated into a fix queue and security grade.

Is repository security only for large companies?

No. Startups and SMEs also need repository security because a single exposed credential or risky setting can create real operational and customer risk.

What does the SecOpsium security grade mean?

The grade is an A-F summary of supported findings and severity. It helps teams understand posture quickly and decide what needs attention first.

Is a good grade proof that a system is secure?

No. A good grade means supported scans found fewer or lower risk issues. It is not proof that every security problem has been found.

Who is the fix queue for?

The fix queue is for founders, engineering leads, and developers who need an ordered list of practical remediation work.

What is included in a SecOpsium security report?

A SecOpsium report summarizes supported findings with severity, evidence context, remediation guidance, grade impact, and progress oriented language.

Can a report replace a penetration test?

No. SecOpsium reports help explain supported repository and scanning findings, but they do not replace a full penetration test or formal security audit.

Who should read the reports?

Reports are written for engineers who need details and for founders, CTOs, or stakeholders who need clear risk context.

What is client-side exposure detection?

Client-side exposure detection looks for sensitive or risky values in frontend and web facing contexts where users or automated tools may be able to see them.

Are all frontend API keys dangerous?

No. Some keys are designed to be public and restricted by origin or scope. The risk depends on what the key can access and whether it is properly constrained.

How should exposed client-side secrets be fixed?

Teams should rotate exposed credentials, move sensitive operations server-side, restrict key permissions, and rescan to confirm the exposure is gone.

Docs and Trust

What happens during a SecOpsium scan?

SecOpsium checks an authorized repository or target for supported security signals, normalizes the results, and presents findings with severity and remediation guidance.

Does a scan prove that a repository is secure?

No. A scan shows what supported checks found at that time. It does not prove that every issue has been found or that the repository is completely secure.

Why keep scan history?

Scan history helps teams compare posture over time, confirm remediation, and avoid treating each security check as a one-off event.

Does SecOpsium ask for a GitHub personal access token?

SecOpsium is designed around an authorized GitHub workflow rather than asking users to paste a personal access token into the product.

Can users control which repositories are connected?

Yes. Repository visibility depends on the scope authorized through GitHub. Teams should grant access only to repositories they want SecOpsium to assess.

Can GitHub access be revoked?

Yes. Users can revoke or disconnect the GitHub authorization when they no longer want SecOpsium to access the selected repositories.

Does SecOpsium store source code after scanning?

SecOpsium is designed not to retain full repository source code as a product artifact after scanning. It stores findings and metadata needed for remediation and reporting.

Why does SecOpsium store file paths or snippets?

File paths and short evidence snippets help users locate and understand findings without requiring full source-code retention in the product.

Is scan metadata still sensitive?

Yes. Findings, paths, snippets, and project metadata can be sensitive and should be protected as security data.

What is severity scoring?

Severity scoring ranks findings by expected risk and urgency so teams can decide what to fix first.

How does severity affect the SecOpsium grade?

Higher-severity findings generally have more impact on the grade because they represent issues that need faster attention.

Can severity be wrong?

Yes. Scoring is based on supported evidence and context. Teams should review findings and adjust their response based on what they know about their environment.

What is a SecOpsium report for?

A SecOpsium report helps teams communicate supported security findings, severity, remediation guidance, grade context, and progress.

Can a report be shared with customers?

It may be useful as supporting evidence, but teams should avoid presenting it as a full independent audit unless that is actually true.

Why include limitations in reports?

Clear limitations make the report more trustworthy by explaining what was checked and what the report does not prove.

What is a detection rule?

A detection rule is a supported check that identifies a security signal, such as a secret-like value or repository posture issue.

Can detection rules produce false positives?

Yes. Some findings require human review because context determines whether the signal is truly risky.

Can detection rules miss real issues?

Yes. Detection coverage has limits, especially for unknown patterns, custom formats, and risks outside supported checks.

Is the SecOpsium CLI open source?

Yes. The CLI is available at github.com/secopsium/secopsium-cli so technical users can inspect and run local checks.

Does the CLI replace the SaaS?

No. The CLI is useful for local checks and transparency. The SaaS adds hosted scans, dashboards, reports, scan history, prioritization, and team workflows.

Why publish a CLI if SecOpsium is a SaaS?

A CLI helps build trust and gives technical teams a practical local option, while the SaaS handles collaboration, reporting, and ongoing security operations.