> For the complete documentation index, see [llms.txt](https://docs.veedna.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.veedna.com/unifai/scanning-for-violations/scanning-in-scms.md).

# Scanning in SCMs

## Scanning Source Code Repositories with UnifAI

UnifAI scans your source code repositories for policy violations, including AI-related risks, and opens a pull request that contains the fixes and a violations report. You run UnifAI through your SCM’s native CI/CD pipeline. The pipeline authenticates to Lineaje with a Lineaje Personal Access Token (PAT) and connects to a Lineaje Model Context Protocol (MCP) server, which performs the scan.

The scan engine is Source Code Manager (SCM)-agnostic. Supported SCMs include:

* GitHub SaaS (GitHub.com) and GitHub Enterprise Cloud
* GitHub Enterprise Server (self-hosted)
* GitLab SaaS (GitLab.com) and GitLab self-hosted
* Bitbucket Cloud and Bitbucket Data Center (on-premises)

### How the Scan Works

When the pipeline runs, UnifAI performs the following steps:

| **Step** | **Action**                                             | **Result**                                                                          |
| -------- | ------------------------------------------------------ | ----------------------------------------------------------------------------------- |
| 1        | Clones repository                                      | The MCP server clones your repository to the runner environment.                    |
| 2        | Evaluates for AI security policies and generates fixes | UnifAI generates remediation code for every violation found.                        |
| 3        | Creates remediation branch                             | A new branch is created in your repository to hold the fixes.                       |
| 4        | Opens pull request                                     | A new PR (pull request) opens with the full violations report and all code changes. |

As you merge remediation pull requests, the violation count decreases. You can track this reduction across scan iterations in the violations report.

### Choosing a Deployment Path

Select the path that matches how your organization hosts its SCM and where the scan will run:

| **Path**                                                                                                               | **When to Use**                                                                            | **Where the scan runs**                                                                                                                              |
| ---------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------- |
| [Path A: Cloud-Hosted SCM (SaaS)](/unifai/scanning-for-violations/scanning-in-scms/path-a-cloud-hosted-scm-saas.md)    | Your repositories are on a cloud-hosted SCM (e.g., GitHub.com or GitHub Enterprise Cloud). | Scan runs in Lineaje Cloud. The CI/CD pipeline connects to the Lineaje SaaS MCP endpoint by default.                                                 |
| [Path B: Self-Hosted SCM (On-Premises)](/unifai/scanning-for-violations/scanning-in-scms/path-b-github-on-premises.md) | You run a self-hosted SCM and want everything inside your network.                         | Scan runs within your environment. The Lineaje MCP server runs on a virtual machine (VM) in your network. Source code never leaves your environment. |

Both paths produce the same output: a pull request on your repository containing remediation fixes for all detected violations, along with a violations report showing the policy name, file, line numbers that were changed, and what was remediated.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.veedna.com/unifai/scanning-for-violations/scanning-in-scms.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.