PR Scanning Issues¶
This guide covers common problems with pull request scanning — from missing check runs to incorrect results.
No check run on PR¶
Symptom: A pull request was opened but no Mayo ASPM check run appears.
Diagnostic steps:
| Step | Check | Fix |
|---|---|---|
| 1 | Is PR scanning enabled? | Settings > Integrations > GitHub > PR Scanning — toggle on |
| 2 | Does the GitHub App have Checks permission? | Verify in GitHub App settings: Checks: Write |
| 3 | Is the repository included in the GitHub App? | Settings > Integrations > GitHub — check repo list |
| 4 | Did the webhook arrive? | Check Settings > Integrations > GitHub > Webhook Events for the PR event |
| 5 | Is the PR targeting an included branch? | PR scanning only runs on PRs targeting configured branches (default: all) |
Webhook delivery
If the webhook didn't arrive, check GitHub's webhook delivery log: GitHub > Organization Settings > Installed GitHub Apps > Mayo ASPM > Advanced > Recent Deliveries
Check run shows "Queued" indefinitely¶
Symptom: The check run appears but stays in "Queued" status.
Possible causes:
| Cause | Solution |
|---|---|
| Concurrent scan limit reached | Wait for running scans to finish |
| Full-org scan running | PR scans may queue behind org scans. PR scans are prioritized after the current batch. |
| Platform issue | Check status.mayoaspm.com |
No PR comment posted¶
Symptom: Check run completes but no comment appears on the PR.
Possible causes:
| Cause | Solution |
|---|---|
| Comments disabled | Enable comments in Settings > Integrations > GitHub > PR Scanning > Comment Style |
| No findings to report | If the scan found 0 new findings, no comment is posted by default |
| GitHub App lacks Issues:Write permission | Verify permissions in GitHub App settings |
| PR scan policy didn't produce a message | Check your PR scan policy includes a message output |
Wrong findings on PR¶
Symptom: PR scan reports findings that aren't related to the PR's changes.
Possible causes:
| Cause | Solution |
|---|---|
| Base branch has diverged | The PR diff comparison may include changes from the base branch. Rebase the PR. |
| First scan of the repository | The first PR scan has no baseline to compare against, so all findings appear as "new". Run a full scan of the base branch first. |
| Scanner reports file-level findings | Some SAST rules trigger on the entire file, not just changed lines. This is expected scanner behavior. |
Establish a baseline
Before enabling PR scanning, run a full scan of your default branch. This creates the baseline that PR scans compare against.
PR scan takes too long¶
Symptom: PR scan takes more than 5 minutes.
Solutions:
- Reduce scanner count — use only Gitleaks + Grype for fast PR feedback.
- Check repository size — large monorepos take longer.
- Review Semgrep rules — if using Semgrep, ensure you're not running unnecessary rule sets.
| Scanner | Expected PR scan time |
|---|---|
| Gitleaks | 5-15 seconds |
| Grype | 10-30 seconds |
| Semgrep | 30 seconds - 3 minutes |
| Trivy | 15-60 seconds |
Check run shows wrong status¶
Symptom: Check run shows "pass" when it should fail (or vice versa).
Diagnostic steps:
- Navigate to Scans and find the PR scan.
- Click the scan to see findings.
- Review the PR scan policy:
- Does the policy's
resultoutput match expectations? - Is the policy scoped to the correct project?
- Is the policy active?
- Does the policy's
- Test the policy in the Playground with the scan's actual input data.
Inline annotations not appearing¶
Symptom: Summary comment is posted but no inline annotations on code.
Possible causes:
| Cause | Solution |
|---|---|
| Inline annotations not enabled | Enable in Settings > Integrations > GitHub > PR Scanning > Comment Style |
Policy doesn't define findings_to_annotate |
Add findings_to_annotate output to your PR scan policy |
| Findings are in files not changed by the PR | Inline annotations can only appear on lines in the PR diff |
| GitHub API rate limiting | Check for GitHub API errors in scan logs |
PR scan doesn't trigger on updates¶
Symptom: Scan runs on PR open but not when new commits are pushed.
Check: Verify the GitHub App webhook is configured for the pull_request.synchronize event. This should be automatic but can be disrupted if the webhook was manually modified.
Next steps¶
- GitHub integration — setup and permissions
- PR scan policies — policy reference
- Scanning issues — general scan problems