§ 01Capabilities

Six capabilities.One engine.

Pick a capability and inspect the shape of what it posts on a PR. The previews are illustrative, not live scans. The real comment is on a public PR, one button away.

Request invite →See a live PR →

§ 02Inspect

Each capability, inspected one at a time.

src/api/auth.ts · taint analysisEXAMPLE
Cross-file taint. Real sinks only.
3-pass taint engine tracks sources → sinks across file boundaries with an import-guard filter. The import-guard filter is one of several mechanisms used to suppress regex false positives.
```
HIGHL47  JWT secret read from env with no fallback
HIGHL128 Possible SQL injection via template literal
MEDL204 Weak hash (MD5) used for token signing
OKL312 regex .exec() guarded — fileImport allow
─── 3-pass cross-file taint complete · 4.2s
```
266 rules · JavaScript & TypeScriptOWASP Top 10 coverageSupply chain SCA with reachabilitySecret detection · entropy + known-format scanningSARIF 2.1.0 native output

src/api/auth.ts · taint analysisEXAMPLE

Cross-file taint. Real sinks only.

3-pass taint engine tracks sources → sinks across file boundaries with an import-guard filter. The import-guard filter is one of several mechanisms used to suppress regex false positives.

HIGHL47  JWT secret read from env with no fallback
HIGHL128 Possible SQL injection via template literal
MEDL204 Weak hash (MD5) used for token signing
OKL312 regex .exec() guarded — fileImport allow
─── 3-pass cross-file taint complete · 4.2s

266 rules · JavaScript & TypeScriptOWASP Top 10 coverageSupply chain SCA with reachabilitySecret detection · entropy + known-format scanningSARIF 2.1.0 native output

§ 03Ship it

Surface · Team/action

GitHub Action

For the team at the PR. Paste one workflow file and the next pull request is already reviewed.

Request invite →

Surface · Developer/cli

CLI

For you, in the terminal. Pre-commit, local CI, or just because you want to know before anyone else does.

Install docs →