CodeTitan

§ 01Thesis

The codebaseimmune system.

Free security review on your own GitHub runner, inline on every PR. JavaScript and TypeScript. No quota. No signup. Your code never leaves CI.

It catches what your ESLint config misses. Pre-launch · self-serve beta.

RUNTIME
GitHub Action
OUTPUT
SARIF + PR comments
DATA
Repo-local profile
GATE
Severity + risk threshold

It carries the codebase → right panel.


§ 02In motion

One audit, start to verdict.

Fig 01·Flagship audit · calcom/cal.com · SHA FB01494

From 3,057 raw findings to 7 in-scope HIGH/CRITICAL, all confirmed true-positive at the pinned SHA — the flagship film walks one real audit end to end.

Flagship audit film · 95 s

§ 03Self-analysis

What the output looks like.

A schematic of the panel CodeTitan generates per PR — score, file list, severity tags, profile state. The panel opposite is illustrative, not the result of a live scan.

For the actual comment shape posted on a real PR, see codetitan-sarif-demo · pull/1.

Output schematic · illustrative
example/repo/src/
Score · Grade
94/ A
Verdict
Watch
  • src/api/auth.ts0
  • src/api/users.ts0
  • src/db/query.ts0
  • src/lib/jwt.ts0
  • src/lib/cors.ts0
  • src/lib/parse.ts0
  • src/routes/login.ts0
  • tests/auth.test.ts0
  • tests/users.test.ts0
  • tests/query.test.ts0
  • src/lib/parse.tsAI-DRIFTExample flag · pattern shape only
10 clean · 1 flagged11 files · 266 rules

The shape, not the substance. Score, file list, severity tags, and AI-drift flag are example values — the panel is a schematic of what CodeTitan emits per PR.

Fig 02 · Output schematic · Illustrative example


Fig 03·Illustrative · output shape for one PR · not measured longitudinal data

PR Risk ScoreExample
00
Grade B· Watch
Security
2 high
Quality
1 medium
AI-generated
Profile
recording

Score, grade, and verdict are computed from the rule weights opposite — not from a real PR.

Inline findings3
  • HIGH
    src/api/auth.ts:47
    JWT secret read from env with no fallback
  • HIGH
    src/db/query.ts:128
    Possible SQL injection via template literal
  • MEDIUM
    tests/user.test.ts:14
    Missing assertion in mocked call

The actual comment CodeTitan posted on a real PR is at codetitan-sarif-demo · pull/1.

Rules
266
Langs
JS / TS
Taint pass
3
SARIF
Native
Diff-aware
PRs only
Card
0

§ 04How CodeTitan works

From install to intelligent review in one sprint.

Three stages. Each builds on the last. The per-repo profile is implemented and locally verified — no team has used it long enough yet to prove the learning changes outcomes over a month.


Add the Action in 30 seconds.

No npm install. No configuration. No build step. Paste one workflow file; the next PR is already reviewed.

  • Zero-install engine

    Bootstraps on the runner — no setup

  • Runs everywhere

    Ubuntu · macOS · Windows hosted matrix

  • Sensible defaults

    --no-ai default · diff-aware on PRs

  • No lock-in

    Findings land in GitHub Code Scanning

Fig 04·.github/workflows/codetitan.yml · 1 file · 21 lines

 1  # .github/workflows/codetitan.yml
 2  name: CodeTitan
 3  on: [pull_request]
 4  
 5  jobs:
 6    review:
 7      runs-on: ubuntu-latest
 8      permissions:
 9        contents: read
10        pull-requests: write
11        security-events: write
12      steps:
13        - uses: actions/checkout@v4
14          with: { fetch-depth: 0 }
15  
16        - uses: Noa-Lia/codetitan-action@v1
17          with:
18            github-token: ${{ secrets.GITHUB_TOKEN }}
19            fail-on-severity: HIGH
20            format: both

Every PR gets a Risk Score.

266 deterministic rules for JavaScript & TypeScript. 3-pass source-to-sink taint analysis. A single composite score, posted inline on the pull request — no dashboard switch required.

Fig 05·Risk Score anatomy · weights out of 100

  • Security35%
    Taint · SSRF · JWT · SCA reachability
  • Quality25%
    Complexity · dead code · error handling
  • AI-generated risk20%
    Drift from repo conventions
  • Test coverage Δ12%
    Assertions added vs. code added
  • Profile match8%
    How similar to the learned profile

Fig 06·Analysis pipeline · one PR · end-to-end

  1. 01
    Diff-aware selection

    Only scan files changed vs. main

  2. 02
    Domain analyzers

    Security · Perf · Quality · Tests · Docs

  3. 03
    3-pass taint

    Cross-file A → B → C reachability

  4. 04
    AI-drift detector

    Identifies generated-code patterns

  5. 05
    Profile rerank

    Suppresses FPs using repo history

  6. 06
    Composite score

    0–100 · A–F grade · output as SARIF


The profile is built per-repo.

Every merged PR, dismissed finding, and applied fix is recorded into a per-repo profile, stored in .codetitan/learned-profile.json. The mechanism is implemented and locally verified. No external repo has used it long enough yet to show that the learning changes review outcomes over time.

Fig 07·What the profile records · what it feeds · status

Signal recordedWhere it feeds inStatus
FP-prone file patterns from past dismissalsConfidence scoring · finding rerankImplemented · locally verified
Repo-specific conventions seen in merged diffsSuppression rules · finding contextImplemented · locally verified
Dismissed findings with rationaleRisk Score calibrationImplemented · locally verified
Applied fix outcomes (shipped · reverted)AI-drift confidence thresholdImplemented · locally verified
Outcome change after a month of real PRsNot yet shown · zero design partners

The thesis, restated

“Scanners read your code.
CodeTitan remembers it.”

Repo-local profile · recorded per PR · stays in your repo

§ 05Memory

Day 1: a scanner. Day 30: your scanner.

Fig 08·Illustrative · the first 30 days · observation log

One repo’s first month, day by day — what the learned profile records per PR, and what stops coming back. Dismiss a finding three times and it never returns.

The first 30 days film · 120 s

Illustrative sequence — ACME-API is a demonstration repo, not a customer log.


§ 06Surfaces

Where you work. Not one more dashboard.

The same engine powers both. Findings flow to the PR for your team, and to your terminal for you.

Fig 09·Comparative specification · GitHub Action vs. CLI

Attribute
GitHub Action

For the team · at the PR

CLI

For the developer · at the terminal

Audience
Your team
You, the developer
Used at
PR review · CI gate
Terminal · pre-commit · CI
Output
Inline comments · SARIF
JSON · text · SARIF
Entry point
.github/workflows/*.yml
$ codetitan
Install cost
Zero · bundled
$ npm i -g @noalia/codetitan
Gate
fail-on-severity · risk-threshold
--fail-on · --risk-threshold
Invocation
- uses: Noa-Lia/codetitan-action@v1
  with:
    github-token: ${{ secrets.GITHUB_TOKEN }}
    fail-on-severity: HIGH
    format: both
    # diff-aware on pull_request
    # inline comments + SARIF
npm install -g @noalia/codetitan

codetitan analyze . --no-ai --format json
codetitan analyze . --changed-only
codetitan fix . --dry-run

Fig 10·First run · CLI · 60 s

The first run, in sixty seconds.

The first-run film: one global install, the rule set loading, and a first analysis at the terminal.

First-run film · 60 s


§ 07Controls

Governance by default.

Every control a security team asks for in procurement — permissions, artifacts, gates, profile ownership, rollout — is already how CodeTitan ships.

Fig 11·Enterprise controls · defaults · ownership

ControlCodeTitan behaviorWhy it matters
PermissionsRequests contents: read, pull-requests: write, security-events: write. No repository write.Reviews annotate PRs and publish SARIF without changing source code.
ArtifactsEmits JSON, SARIF, and .codetitan/learned-profile.json. CLI adds console output.Audit records stay with the repo and replay in CI or the CLI.
Policy gatesAction uses fail-on-severity + risk-threshold. CLI uses --fail-on + --risk-threshold.Release blockers are explicit in the PR check or CI exit code.
Profile ownershipLearns from merged PRs and dismissed findings, persisted to your repo.The memory follows the codebase instead of a vendor-side model.
Rollout modeDiff-aware on pull requests by default. Full-repo scans run from the CLI or scheduled workflows.Teams start on changed files, then enforce the same rules across the repo.

§ 08Begin

Give your repo a memory.

30s setup · one workflow file · self-serve beta

Pre-launch · request access below · your code stays in your repo