---
url: /en/security/intro.md
description: >
  Overview of CNB code security scanning configuration, including core concepts,
  core capabilities, usage recommendations, and configuration file location.
---
CNB Code Security Scanning checks repositories for secrets and open source component risks. No extra configuration
is required by default. If you need to adjust the scan scope, split configuration, or handle findings with rules,
add `.cnb/security/code_scan_config.yml` to the repository.

## Core concepts

| Concept | Description |
|---|---|
| `code_scan_config.yml` | Optional configuration file for code security scanning. It declares scan scope, capability configuration, and include subfiles. |
| `.scanignore` | Optional gitignore-style ignore file used to exclude paths that do not need to be scanned. |
| Security capability | The currently public capabilities are `secrets` and `software-composition-analysis`. Undeclared capabilities use platform defaults. |

## Core capabilities

| Capability | Description |
|---|---|
| Specify scan scope | Use `.scanignore` or `paths` to exclude paths that do not need to be scanned. Use `!` rules to include specific paths again. |
| Disable a capability | Point the capability's `ignoreFrom` to a file whose content is `**` to skip scanning for that capability. |
| Split configuration | Use `include` to split configuration into multiple subfiles and maintain them by module. |
| Ignore findings with rules (Beta) | Ignore matching scan results by rule, based on conditions such as path and severity. |

## Usage recommendations

* The platform hides differences between scan engines' ignore syntaxes and uses gitignore-style path rules uniformly.
* If `code_scan_config.yml` is not provided, the platform uses the built-in default configuration and scanning
  continues.
* Before submitting changes, use the `validate` plugin to check for incorrect include paths, field structures,
  or ignore files.

For usage, see
[Configuration file · Self-check with the validate plugin](./config-file.md#self-check-with-the-validate-plugin).

## File location

`code_scan_config.yml` is placed in the repository's `.cnb/security/` directory by default:

```text
<repo-root>/
├── .cnb/
│   └── security/
│       └── code_scan_config.yml
└── .scanignore       # optional, gitignore syntax
```

## Next steps

* [Quick start](./quickstart.md) — enable code security scanning
* [Configuration file](./config-file.md) — learn about include, merge rules, and validation
* [Syntax reference](./syntax-reference.md) — see the complete field-level reference
