# Source code In source code mode, the Seal Platform reads your dependency manifests directly from the connected repository through Seal's SCM integration. It is the most accurate and freshest of the four package discovery modes, and the default choice when an SCM connection is available. ## What it sees Seal sees the manifest as the SCM integration parses it on each commit. For ecosystems with lockfiles checked in (`package-lock.json`, `Pipfile.lock`, `composer.lock`, and so on), this includes both direct and transitive dependencies. For ecosystems where the manifest only declares direct dependencies (a `pom.xml` without a flattened build, for example), Seal sees the direct dependencies; transitive dependencies do not appear unless the lockfile equivalent is committed. The signal updates as soon as a new commit lands on a tracked branch. The picture matches the latest commit, not the latest deploy. ## What Seal needs Read access to the repository, granted through a connected SCM integration. Seal supports GitHub, GitLab, and Azure DevOps. The level of read access is the minimum required to fetch dependency manifests from the repository. If your organization restricts third-party read access to source code, source code mode is not the right choice. Use [CLI mode](/new-documentation/new-docs/package-discovery-mode/cli.md) instead, which gives you the same remediation capability without granting source access. ## When to choose this mode * You already have, or can grant, a Seal SCM integration with read access to the repository. * You want the freshest possible picture of your packages, updated per commit rather than per build. * For a GitHub-connected Seal Project, you want Seal to be able to open automatic pull requests for fixes (a GitHub-only feature today). ## Setting it up A Seal Project enters source code mode automatically the first time the SCM integration produces a successful manifest read. To set up the integration, see [Connecting source control](/new-documentation/new-docs/connecting-source-control.md). You can also start a Seal Project in another mode and connect source control later. In that case the project promotes to source code mode on the first manifest read after the connection is set up, and signal from the previous mode is dropped. ## Source code mode and remediation Source code mode covers discovery only. The actual replacement of vulnerable packages with sealed versions still requires the Seal CLI to run in your CI/CD pipeline. The Sealing Rules the CLI applies can come from either of two places: * **Remote Sealing Rules** that you create through the Seal UI. The CLI runs in remote fix mode and pulls them at run time. * **Local Sealing Rules** in a `.seal-actions.yml` file checked into your repository. The CLI runs in local fix mode and reads them from the file. For source-code-mode Seal Projects on GitHub, the Seal GitHub App can populate the `.seal-actions.yml` file by opening automatic pull requests with proposed Sealing Rules. You review and merge the PRs as you would any other change. The CLI still has to run in CI on the merged commit to apply the rules and replace the packages; the automatic PRs are a way to author the rules, not to deploy them. ## Related * [Connecting source control](/new-documentation/new-docs/connecting-source-control.md): how to set up the GitHub, GitLab, or Azure DevOps integration. * [How Seal discovers your packages](/new-documentation/new-docs/how-seal-discovers-your-packages.md): how source code mode compares to the other three. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.sealsecurity.io/new-documentation/new-docs/package-discovery-mode/source-code.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.