You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
## Summary
- Add a Frequently Asked Questions section to `README.md` using
collapsed Markdown sections.
- Link the new FAQ from the table of contents.
- Cover common setup and usage questions around Rust requirements, scan
targets, report formats, triage baselines, plugin trust, AI/supply-chain
modes, and CI integration.
Closes#63.
## Validation
- `git diff --check`
- README structure check for the FAQ ToC entry, section order, balanced
`<details>/<summary>` tags, and key command references
---------
Co-authored-by: Tommaso Bona <piergeolo@gmail.com>
@@ -477,3 +478,84 @@ For continuous monitoring, you can schedule regular scans of your projects using
477
478
<!-- ALL-CONTRIBUTORS-LIST:END -->
478
479
479
480
This project follows the [all-contributors](https://github.com/all-contributors/all-contributors) specification.
481
+
482
+
## Frequently Asked Questions
483
+
484
+
<details>
485
+
<summary>Why is my scan slow?</summary>
486
+
487
+
If your scan is slow, it's probably because you aren't using PySpector, but rather something else (xD). Jokes apart, scan speed reduces as the codebase grows (so, for example, a 500k LoC codebase will take more time to get scanned, than a 10k LoC one), but recent benchmarks still demonstrate that PySpector is faster than other Python SASTs
488
+
489
+
</details>
490
+
491
+
<details>
492
+
<summary>Do I need Rust installed to use PySpector?</summary>
493
+
494
+
Yes. PySpector includes a Rust analysis core, so local installation from source requires the Rust toolchain. Install Rust with [rustup](https://rustup.rs/), then verify the setup with `cargo --version` before installing or building PySpector.
495
+
496
+
</details>
497
+
498
+
<details>
499
+
<summary>What can I scan?</summary>
500
+
501
+
You can use `pyspector scan` with a local Python file, a local project directory, or a public Git repository URL:
Inside the TUI, mark findings as ignored (by pressing `i` inside the TUI) and save the baseline (with `s`). Future scans can use that baseline so already reviewed findings do not keep reappearing.
534
+
535
+
</details>
536
+
537
+
<details>
538
+
<summary>Are plugins safe to run?</summary>
539
+
540
+
Only trusted plugins are executed automatically. PySpector validates plugin source, records a checksum when you trust a plugin, and warns you if the file changes later. Review third-party plugin code before running `pyspector plugin trust` or installing a plugin with `--trust`.
541
+
542
+
</details>
543
+
544
+
<details>
545
+
<summary>When should I use the AI and supply-chain modes?</summary>
546
+
547
+
Use `--ai` when scanning projects that integrate with LLMs or AI agents. Use `--supply-chain` when you want dependency checks for known CVEs:
548
+
549
+
```bash
550
+
pyspector scan ./my-python-project --ai
551
+
pyspector scan ./my-python-project --supply-chain
552
+
```
553
+
554
+
</details>
555
+
556
+
<details>
557
+
<summary>How can I integrate PySpector into CI?</summary>
558
+
559
+
For CI pipelines, generate SARIF with `-f sarif` and upload it to a compatible security platform such as GitHub Code Scanning. For local guardrails, use `./scripts/setup_hooks.sh` to install the provided pre-commit hook.
0 commit comments