Configuring Concert Secure Coder settings

Edit online

You can configure Concert Secure Coder settings to control how scans run and how scan results are displayed in your IDE.

Use the settings to customize automatic scanning behavior and workspace scan timeouts.

Open Concert Secure Coder settings

  1. Open Visual Studio Code or IBM Bob.
  2. Open the Settings view.
    • Windows and Linux: File > Preferences > Settings
    • macOS: Code > Settings > Settings
  3. Search for Concert Secure Coder.

    The available Secure Coder settings are displayed.

Configure automatic file scans

Concert Secure Coder can automatically scan files as you work.

Automatic file scans help identify issues earlier without requiring you to manually start a scan.

Depending on your configuration, you can enable automatic scanning when:
  • A file is saved.
  • You stop typing for a specified period of time.

Enable scan on save

  1. Open the Concert Secure Coder settings.
  2. Locate the automatic file scanning settings.
  3. Enable Scan on save.
  4. Save your changes.

Enable scan while typing

  1. Open the Concert Secure Coder settings.
  2. Locate the automatic file scanning settings.
  3. Enable the option to scan after typing stops.
  4. Save your changes.

Configure workspace scan timeout

You can configure how long a workspace scan is allowed to run before timing out.
  1. Open the Concert Secure Coder settings.
  2. Locate the Workspace scan timeout setting.
  3. Specify a timeout value between 1 and 60 minutes.
  4. Save your changes.

The default timeout value is 10 minutes.

The workspace scan timeout applies to:
  • Secrets detection scans
  • Static Application Security Testing (SAST) scans
  • Software Composition Analysis (SCA) scans

Use this setting when scanning larger repositories that require additional time to complete.

If the configured timeout is reached before a scan completes, the scan stops and a timeout error is returned.

If workspace scans frequently time out before completion, increase the timeout value.

Understand scan availability

The scan types that are available in Concert Secure Coder depend on how your organization has configured the Secure Coder service.

The following workspace scan types can be enabled or disabled by your organization:
  • Secrets detection
  • Static Application Security Testing (SAST)
  • Software Composition Analysis (SCA)

If a scan capability is not enabled, it might remain visible in the user interface but will not be available for use.

Note: AI-assisted remediation recommendations are available only when the required AI integration is configured for your Secure Coder installation.

Next steps

After configuring your settings, run file scans or workspace scans to verify that the settings behave as expected.