The codebaseimmune system.
Free security review on your own GitHub runner, inline on every PR. JavaScript and TypeScript. No quota. No signup. Your code never leaves CI.
It catches what your ESLint config misses. Pre-launch · self-serve beta.
It carries the codebase → right panel.
One audit, start to verdict.
Fig 01·Flagship audit · calcom/cal.com · SHA FB01494
From 3,057 raw findings to 7 in-scope HIGH/CRITICAL, all confirmed true-positive at the pinned SHA — the flagship film walks one real audit end to end.
What the output looks like.
A schematic of the panel CodeTitan generates per PR — score, file list, severity tags, profile state. The panel opposite is illustrative, not the result of a live scan.
For the actual comment shape posted on a real PR, see codetitan-sarif-demo · pull/1.
- src/api/auth.ts0
- src/api/users.ts0
- src/db/query.ts0
- src/lib/jwt.ts0
- src/lib/cors.ts0
- src/lib/parse.ts0
- src/routes/login.ts0
- tests/auth.test.ts0
- tests/users.test.ts0
- tests/query.test.ts0
- src/lib/parse.tsAI-DRIFT└ Example flag · pattern shape only
The shape, not the substance. Score, file list, severity tags, and AI-drift flag are example values — the panel is a schematic of what CodeTitan emits per PR.
Fig 02 · Output schematic · Illustrative example
Fig 03·Illustrative · output shape for one PR · not measured longitudinal data
- Security
- 2 high
- Quality
- 1 medium
- AI-generated
- —
- Profile
- recording
Score, grade, and verdict are computed from the rule weights opposite — not from a real PR.
- HIGHsrc/api/auth.ts:47JWT secret read from env with no fallback
- HIGHsrc/db/query.ts:128Possible SQL injection via template literal
- MEDIUMtests/user.test.ts:14Missing assertion in mocked call
The actual comment CodeTitan posted on a real PR is at codetitan-sarif-demo · pull/1.
From install to intelligent review in one sprint.
Three stages. Each builds on the last. The per-repo profile is implemented and locally verified — no team has used it long enough yet to prove the learning changes outcomes over a month.
Add the Action in 30 seconds.
No npm install. No configuration. No build step. Paste one workflow file; the next PR is already reviewed.
- Zero-install engine
Bootstraps on the runner — no setup
- Runs everywhere
Ubuntu · macOS · Windows hosted matrix
- Sensible defaults
--no-ai default · diff-aware on PRs
- No lock-in
Findings land in GitHub Code Scanning
Fig 04·.github/workflows/codetitan.yml · 1 file · 21 lines
1 # .github/workflows/codetitan.yml
2 name: CodeTitan
3 on: [pull_request]
4
5 jobs:
6 review:
7 runs-on: ubuntu-latest
8 permissions:
9 contents: read
10 pull-requests: write
11 security-events: write
12 steps:
13 - uses: actions/checkout@v4
14 with: { fetch-depth: 0 }
15
16 - uses: Noa-Lia/codetitan-action@v1
17 with:
18 github-token: ${{ secrets.GITHUB_TOKEN }}
19 fail-on-severity: HIGH
20 format: both
Every PR gets a Risk Score.
266 deterministic rules for JavaScript & TypeScript. 3-pass source-to-sink taint analysis. A single composite score, posted inline on the pull request — no dashboard switch required.
Fig 05·Risk Score anatomy · weights out of 100
- Security35%Taint · SSRF · JWT · SCA reachability
- Quality25%Complexity · dead code · error handling
- AI-generated risk20%Drift from repo conventions
- Test coverage Δ12%Assertions added vs. code added
- Profile match8%How similar to the learned profile
Fig 06·Analysis pipeline · one PR · end-to-end
- 01Diff-aware selection
Only scan files changed vs. main
- 02Domain analyzers
Security · Perf · Quality · Tests · Docs
- 033-pass taint
Cross-file A → B → C reachability
- 04AI-drift detector
Identifies generated-code patterns
- 05Profile rerank
Suppresses FPs using repo history
- 06Composite score
0–100 · A–F grade · output as SARIF
The profile is built per-repo.
Every merged PR, dismissed finding, and applied fix is recorded into a per-repo profile, stored in .codetitan/learned-profile.json. The mechanism is implemented and locally verified. No external repo has used it long enough yet to show that the learning changes review outcomes over time.
Fig 07·What the profile records · what it feeds · status
| Signal recorded | Where it feeds in | Status |
|---|---|---|
| FP-prone file patterns from past dismissals | Confidence scoring · finding rerank | Implemented · locally verified |
| Repo-specific conventions seen in merged diffs | Suppression rules · finding context | Implemented · locally verified |
| Dismissed findings with rationale | Risk Score calibration | Implemented · locally verified |
| Applied fix outcomes (shipped · reverted) | AI-drift confidence threshold | Implemented · locally verified |
| Outcome change after a month of real PRs | — | Not yet shown · zero design partners |
The thesis, restated
“Scanners read your code.
CodeTitan remembers it.”
Repo-local profile · recorded per PR · stays in your repo
Day 1: a scanner. Day 30: your scanner.
Fig 08·Illustrative · the first 30 days · observation log
One repo’s first month, day by day — what the learned profile records per PR, and what stops coming back. Dismiss a finding three times and it never returns.
Illustrative sequence — ACME-API is a demonstration repo, not a customer log.
Where you work. Not one more dashboard.
The same engine powers both. Findings flow to the PR for your team, and to your terminal for you.
Fig 09·Comparative specification · GitHub Action vs. CLI
For the team · at the PR
For the developer · at the terminal
- uses: Noa-Lia/codetitan-action@v1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
fail-on-severity: HIGH
format: both
# diff-aware on pull_request
# inline comments + SARIFnpm install -g @noalia/codetitan
codetitan analyze . --no-ai --format json
codetitan analyze . --changed-only
codetitan fix . --dry-runFig 10·First run · CLI · 60 s
The first run, in sixty seconds.
The first-run film: one global install, the rule set loading, and a first analysis at the terminal.
Governance by default.
Every control a security team asks for in procurement — permissions, artifacts, gates, profile ownership, rollout — is already how CodeTitan ships.
Fig 11·Enterprise controls · defaults · ownership
| Control | CodeTitan behavior | Why it matters |
|---|---|---|
| Permissions | Requests contents: read, pull-requests: write, security-events: write. No repository write. | Reviews annotate PRs and publish SARIF without changing source code. |
| Artifacts | Emits JSON, SARIF, and .codetitan/learned-profile.json. CLI adds console output. | Audit records stay with the repo and replay in CI or the CLI. |
| Policy gates | Action uses fail-on-severity + risk-threshold. CLI uses --fail-on + --risk-threshold. | Release blockers are explicit in the PR check or CI exit code. |
| Profile ownership | Learns from merged PRs and dismissed findings, persisted to your repo. | The memory follows the codebase instead of a vendor-side model. |
| Rollout mode | Diff-aware on pull requests by default. Full-repo scans run from the CLI or scheduled workflows. | Teams start on changed files, then enforce the same rules across the repo. |
Give your repo a memory.
30s setup · one workflow file · self-serve beta
Pre-launch · request access below · your code stays in your repo