Back to Documentation

Getting Started

Learn how to run your first vulnerability scan and process fixes with RSOLV.

What You'll Learn

  • Running your first security scan
  • Understanding and reviewing scan results
  • Processing vulnerabilities through the full pipeline
  • Reviewing and merging fix pull requests

Time required: 15-20 minutes | Prerequisites: RSOLV installed (see Installation Guide)

1 Run Your First Scan

The scan phase detects potential vulnerabilities in your codebase using pattern matching and AST validation.

Trigger the Scan

If you used a workflow with a push or pull_request trigger, the scan runs automatically. Otherwise, trigger it manually:

  1. Go to your repository's Actions tab
  2. Click on your RSOLV workflow (e.g., "RSOLV Security Scan")
  3. Click Run workflow button
  4. Select the branch to scan
  5. Click Run workflow

Monitor Progress

Watch the workflow run in real-time:

  • Setup - Checks out code and initializes RSOLV
  • Scan - Analyzes files for vulnerability patterns
  • Validate - AST validation filters false positives
  • Report - Creates GitHub issues for detected vulnerabilities

Scan complete: 247 files analyzed

Vulnerabilities detected: 5

GitHub issues created: 5

2 Review Scan Results

Understanding GitHub Issues

RSOLV creates a GitHub issue for each detected vulnerability. Navigate to your repository's Issues tab to see them.

Issue Structure

Title: [SECURITY] SQL Injection in user.js:45
Labels: security rsolv
Description includes:
  • Vulnerability type and severity
  • Exact file location and line number
  • Code snippet showing the issue
  • Explanation of the security risk
  • RSOLV phase tracking metadata

Prioritizing Issues

Review issues and prioritize based on:

  • Severity - Critical issues (SQL injection, XSS) should be fixed first
  • Exposure - Public-facing code vs internal utilities
  • Impact - Potential damage if exploited
  • Ease of fix - Quick wins vs complex refactoring

3 Generate Validation Tests

The validate phase generates RED/GREEN/REFACTOR tests that prove the vulnerability exists before fixing it. This ensures fixes are effective and don't break existing functionality.

Trigger Validation

If using separate workflow jobs, the validate phase runs automatically after scan completes. For manual workflows:

  1. Go to Actions tab
  2. Click your workflow
  3. Click Run workflow
  4. The validate job will process issues marked for validation

What Happens During Validate

  • RED test - Creates a test that fails due to the vulnerability
  • Test commit - Commits the failing test to a new branch
  • Issue update - Updates GitHub issue with test details and branch link
  • Phase metadata - Stores validation data for the mitigate phase

Best Practice: Use max_issues: '3' parameter to process a few issues at a time. This prevents overwhelming your workflow with many parallel processes.

4 Apply Security Fixes

The mitigate phase generates and applies fixes that make the RED test pass (GREEN), then refactors for code quality.

Trigger Mitigation

The mitigate job runs automatically after validate completes in a full pipeline workflow.

Fix Process

  1. Analyze vulnerability - Reviews issue, code, and test
  2. Generate fix - Creates secure code using AI assistance
  3. Apply fix (GREEN) - Updates code to pass the test
  4. Refactor - Improves code quality while maintaining security
  5. Create PR - Opens pull request with complete fix

Pull Request Contents

  • Failing test (RED commit)
  • Security fix making test pass (GREEN commit)
  • Code quality improvements (REFACTOR commit)
  • Description of vulnerability and fix approach
  • Link to original GitHub issue

5 Review and Merge Fix

Review Checklist

Before merging, verify:

  • Tests pass - All checks are green, including the new security test
  • Fix is correct - The vulnerability is actually resolved
  • No regressions - Existing functionality still works
  • Code quality - Changes follow your project's standards
  • Security best practices - Fix uses secure patterns (parameterized queries, input validation, etc.)

Merge the Fix

  1. Review the PR diff and commit history
  2. Verify CI/CD checks pass
  3. Request additional review if needed
  4. Click Merge pull request
  5. The related GitHub issue will be automatically closed

Tip: You can customize the fix before merging by pushing additional commits to the PR branch. RSOLV won't overwrite your changes.

Understanding Your Usage Limits

Scan

Free on all plans — detection is always included

Validate

Counts against your monthly validation limit (5/mo Free, unlimited Pro/Team)

Mitigate

Fixes are included with every validated finding

The Free plan includes 5 validations per month. Upgrade to Pro ($59/mo) for 25 validations or Team ($249/mo) for 100 validations, fixes included. See pricing FAQ for details.

Next Steps

Configuration Options

Customize RSOLV behavior for your workflow

Workflow Templates

Advanced workflow examples and patterns

API Reference

Integrate RSOLV into custom tools

Troubleshooting

Solutions to common issues