Skip to content

Commit e8c814e

Browse files
bte808ParzivalHack
andauthored
docs: add README FAQ section (#67)
## Summary - Add a Frequently Asked Questions section to `README.md` using collapsed Markdown sections. - Link the new FAQ from the table of contents. - Cover common setup and usage questions around Rust requirements, scan targets, report formats, triage baselines, plugin trust, AI/supply-chain modes, and CI integration. Closes #63. ## Validation - `git diff --check` - README structure check for the FAQ ToC entry, section order, balanced `<details>/<summary>` tags, and key command references --------- Co-authored-by: Tommaso Bona <piergeolo@gmail.com>
1 parent 0ac8eea commit e8c814e

1 file changed

Lines changed: 83 additions & 1 deletion

File tree

README.md

Lines changed: 83 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,10 +27,11 @@ PySpector is designed to be both comprehensive and intuitive, offering a multi-l
2727
- [How It Works](#how-it-works)
2828
- [Performance Benchmarks](#performance-benchmarks)
2929
- [Usage](#usage)
30-
- [Plugin System](#plugin-system-new-feature)
30+
- [Plugin System](#plugin-system)
3131
- [Triaging and Baselining](#triaging-and-baselining-findings)
3232
- [Automation and Integration](#automation-and-integration)
3333
- [SARIF Output and Security Tool Integration](#sarif-output-and-security-tool-integration)
34+
- [Frequently Asked Questions](#frequently-asked-questions)
3435

3536
## Quick Demo
3637

@@ -477,3 +478,84 @@ For continuous monitoring, you can schedule regular scans of your projects using
477478
<!-- ALL-CONTRIBUTORS-LIST:END -->
478479

479480
This project follows the [all-contributors](https://github.com/all-contributors/all-contributors) specification.
481+
482+
## Frequently Asked Questions
483+
484+
<details>
485+
<summary>Why is my scan slow?</summary>
486+
487+
If your scan is slow, it's probably because you aren't using PySpector, but rather something else (xD). Jokes apart, scan speed reduces as the codebase grows (so, for example, a 500k LoC codebase will take more time to get scanned, than a 10k LoC one), but recent benchmarks still demonstrate that PySpector is faster than other Python SASTs
488+
489+
</details>
490+
491+
<details>
492+
<summary>Do I need Rust installed to use PySpector?</summary>
493+
494+
Yes. PySpector includes a Rust analysis core, so local installation from source requires the Rust toolchain. Install Rust with [rustup](https://rustup.rs/), then verify the setup with `cargo --version` before installing or building PySpector.
495+
496+
</details>
497+
498+
<details>
499+
<summary>What can I scan?</summary>
500+
501+
You can use `pyspector scan` with a local Python file, a local project directory, or a public Git repository URL:
502+
503+
```bash
504+
pyspector scan ./my-python-project
505+
pyspector scan --url https://github.com/username/repo.git
506+
```
507+
508+
</details>
509+
510+
<details>
511+
<summary>How can I choose the report format?</summary>
512+
513+
Use `-f` to select the output format and `-o` to write the report to a file. For example:
514+
515+
```bash
516+
pyspector scan ./my-python-project -f json -o report.json
517+
pyspector scan ./my-python-project -f html -o report.html
518+
pyspector scan ./my-python-project -f sarif -o report.sarif
519+
```
520+
521+
</details>
522+
523+
<details>
524+
<summary>How should I handle false positives?</summary>
525+
526+
Generate a JSON report, then open the triage TUI:
527+
528+
```bash
529+
pyspector scan ./my-python-project -f json -o report.json
530+
pyspector triage report.json
531+
```
532+
533+
Inside the TUI, mark findings as ignored (by pressing `i` inside the TUI) and save the baseline (with `s`). Future scans can use that baseline so already reviewed findings do not keep reappearing.
534+
535+
</details>
536+
537+
<details>
538+
<summary>Are plugins safe to run?</summary>
539+
540+
Only trusted plugins are executed automatically. PySpector validates plugin source, records a checksum when you trust a plugin, and warns you if the file changes later. Review third-party plugin code before running `pyspector plugin trust` or installing a plugin with `--trust`.
541+
542+
</details>
543+
544+
<details>
545+
<summary>When should I use the AI and supply-chain modes?</summary>
546+
547+
Use `--ai` when scanning projects that integrate with LLMs or AI agents. Use `--supply-chain` when you want dependency checks for known CVEs:
548+
549+
```bash
550+
pyspector scan ./my-python-project --ai
551+
pyspector scan ./my-python-project --supply-chain
552+
```
553+
554+
</details>
555+
556+
<details>
557+
<summary>How can I integrate PySpector into CI?</summary>
558+
559+
For CI pipelines, generate SARIF with `-f sarif` and upload it to a compatible security platform such as GitHub Code Scanning. For local guardrails, use `./scripts/setup_hooks.sh` to install the provided pre-commit hook.
560+
561+
</details>

0 commit comments

Comments
 (0)