How a Scan Works
Understand the phases FinishKit goes through when analysing your codebase.
When you start a scan, FinishKit runs your code through a series of phases on secure remote infrastructure (not your machine).
Phases
| Phase | What happens |
|---|---|
| clone | Your repo is cloned from GitHub using the FinishKit GitHub App |
| detect | Tech stack, frameworks, and languages are identified |
| analyze | Multi-pass LLM analysis across your codebase generates findings |
| patch | Optional: FinishKit generates diff-based patches for fixable issues |
| verify | Patches are tested where possible |
| finalize | Findings are ranked, your Finish Plan is assembled |
What FinishKit reads
FinishKit reads your source code, configuration files, and dependencies. It does not:
- Execute your code
- Store your source files in our database (only metadata, findings, and diffs)
- Access your environment variables or secrets at runtime
Never commit .env files or secrets to your repo. FinishKit will flag this as a critical security finding if it detects secrets in your committed code.
LLM analysis
FinishKit uses GPT-5.1 for deep analysis passes and GPT-5-mini for lighter classification tasks. The analysis is budget-capped per scan to control cost and time.
Each finding includes:
- Category (blockers, security, deploy, stability, tests, ui)
- Severity (critical, high, medium, low)
- File and line reference where applicable
- Explanation of what the issue is and why it matters
- Suggested fix: actionable steps you can take
Re-scanning
After you fix an issue, you can re-run a scan to verify the fix. FinishKit tracks findings across runs so you can see what's been resolved.