Quickstart.
30 seconds for GitHub. 60 seconds for local. The Action runs on every PR without any install. The CLI runs anywhere Node runs.
§ 01 · The 30-second path — GitHub Action
Paste this file at .github/workflows/codetitan.yml. Your next pull request will be reviewed automatically.
name: CodeTitan
on: [pull_request]
jobs:
review:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
security-events: write
steps:
- uses: actions/checkout@v4
with: { fetch-depth: 0 }
- uses: Noa-Lia/codetitan-action@v1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
fail-on-severity: HIGHThat's it. Open a PR and CodeTitan posts an inline review comment with a Risk Score, uploads SARIF to GitHub Code Scanning, and — if fail-on-severity: HIGH is set — fails the check when HIGH or CRITICAL findings appear.
§ 02 · The 60-second path — CLI
Install the CLI globally:
npm install -g @noalia/codetitanAnalyze the current repo (no AI, fast):
codetitan analyze . --no-ai --format jsonReal output from a real run (a one-file Express app with a hardcoded key and an unparameterized query):
Findings Report
────────────────────────────────────────
Found 3 issues.
CRITICAL [53%] server.js:4
-> Stripe API key detected.
HIGH [51%] server.js:6
-> Tainted user input may reach a SQL query. User input
reaches sink directly on this line.
MEDIUM [51%] server.js:3
-> Express app created without helmet() — many security
headers will be absent.
Files: 1 scanned
Risk: 60 (high / C)Only scan what changed vs main (fast for pre-commit hooks):
codetitan analyze . --changed-only§ 03 · What you get
- Inline PR comment — per-file annotations on the exact lines, plus a summary comment with the Risk Score
- SARIF output — uploaded to GitHub Code Scanning, visible in the Security tab
- CI gate — configurable fail threshold so severe findings block merge
§ 04 · Up next
You have a reviewer on every PR. From here, see the full Installation guide for CI environments beyond GitHub, or jump straight to the CLI reference for flags and configuration.