Read-only indexing

Before indexing code

Use this page after the repository connection is ready and before WebRiskOps maps report findings to source files. Read-only indexing is a source discovery step; it must not change files, branches, pull requests, repository settings or secrets. Do not paste source files, tokens, private snippets or raw secrets into documentation, prompts, tickets or report copy. The product should store safe repository metadata and candidate path references only.

Run read-only indexing

Follow the path `Connected repository → Read-only indexing → Indexed paths → Code mapping → Review-only patch decision`.

1. Open /projects/{project}/repository-provider/github/read-only-scan after the repository connection is ready. Result: repository_index_status and default_branch are visible before code is searched.
2. Start read-only indexing from the connected repository state. Result: WebRiskOps reads repository metadata and files without creating branches, commits, pull requests or settings changes.
3. Wait for repository_index_status to finish before mapping findings. Result: indexed_paths and ignored_paths describe which files can be considered for code mapping.
4. Review ignored paths and provider limits before trusting coverage. Result: generated remediation does not claim access to excluded, private or unsupported files.
5. Stop when secret, unsafe scope or wrong repository signals appear. Result: the no-secret and revoke path is used before source context enters tickets, prompts or patches.
6. Continue to Code mapping only when indexing is complete and scoped. Result: issue evidence can be matched to candidate files without write access.

Ready indexing states

Continue only when the product shows a ready or reviewable state.

• Index ready means repository_index_status is complete for the expected repository_full_name and default_branch.
• Paths indexed means indexed_paths contain candidate files that can be searched for affected components.
• Paths ignored means ignored_paths explain excluded directories, unsupported files or provider limits.
• No write action available means the UI offers no branch, commit, pull request or settings mutation during indexing.
• Mapping ready means code mapping can start with safe metadata instead of raw source pasted into another surface.

Blocked or unsafe states

Do not work around an unsafe access state. Use the product fallback or revoke path.

• Index failed means retry only after provider, repository, network or scope state is fixed.
• Secrets detected means stop and review no-secret boundaries before any source context is reused.
• Missing repository means return to GitHub repository connection and choose the correct repository.
• Wrong default branch means do not map findings until the branch is corrected or explained.
• Unsupported path means keep that file out of candidate mapping and ticket context.
• Broad access required means use safe fallback paths instead of expanding repository permissions without approval.

Continue to code mapping

Continue to Code mapping when read-only indexing is complete, scoped and free of secret-boundary issues. Use Review-only patches only after code mapping identifies a safe candidate file. Use Revoke and no-secret boundaries if indexing exposes unsafe repository state.