Frequently Asked Questions

AI coding tools are incredible for speed, but they routinely introduce security vulnerabilities. LLMs don't think about attack surfaces — they generate code that works, not code that's secure. Hardcoded API keys, SQL injection, broken authentication, and missing input validation are extremely common in AI-generated codebases. An audit catches these before an attacker does.

The most common issues we find are hardcoded secrets and API keys, SQL injection and NoSQL injection, cross-site scripting (XSS), broken authentication and session management, insecure direct object references, missing rate limiting, overly permissive CORS policies, and exposed debug endpoints. AI tools tend to take shortcuts on security because they optimize for getting code to run, not for hardening it.

Yes. Attackers use automated scanners that don't care how big your project is. If your app handles any user data, accepts payments, or is publicly accessible, it's a target. A single leaked API key or database credential can cost thousands of dollars and destroy user trust. A Quick Scan starts at $349 — far less than the cost of a breach.

You can, and we encourage it. But running Semgrep, Trivy, and TruffleHog yourself means configuring each tool, interpreting raw output, triaging false positives, and figuring out how to actually fix each finding. Our audit does all of that for you — we run the scanners, apply AI-powered analysis to prioritize findings, map them to OWASP/CWE standards, and deliver a clear report with actionable fix recommendations.

We run a suite of industry-standard tools including Semgrep for static analysis (SAST), Trivy for dependency and container vulnerability scanning, and TruffleHog for secret detection. On top of the raw scanner output, our AI analysis layer generates executive summaries, prioritized findings, and remediation guidance.

We support JavaScript, TypeScript, Python, Go, Ruby, Java, PHP, Rust, C#, and more. Our scanners automatically detect your tech stack and run the appropriate rule sets. Whether you're using Next.js, Django, Rails, Express, FastAPI, or other popular frameworks, we've got you covered.

Every report includes an executive summary with your overall risk score, a prioritized list of findings by severity (critical, high, medium, low), OWASP Top 10 and CWE compliance mapping, code snippets showing exactly where each vulnerability exists, and step-by-step remediation guidance so you know how to fix each issue. Higher-tier packages include more detailed analysis and expert human review.

Sign in with GitHub, pick a repository, choose your package, and check out. That's it. We clone your repo securely, run our scanning pipeline, and deliver your report. You can also start with a free scan to get a high-level overview before committing to a full audit.

Automated scans start within minutes of submission. Quick Scan results are typically ready in under an hour. Standard and Comprehensive audits take longer due to deeper analysis, but you can watch progress in real-time on your audit dashboard. Packages that include expert human review have additional turnaround time for the reviewer's assessment.

Automated scanning uses tools and AI to find known vulnerability patterns at scale. Expert review adds a human security professional who manually inspects your codebase for business logic flaws, architectural issues, and subtle vulnerabilities that automated tools can miss. The Comprehensive package includes both for maximum coverage.

Quick Scan ($349) gives you automated SAST scanning with AI-generated findings and remediation. Standard Audit ($999) adds deeper analysis, dependency scanning, and more detailed reporting. Comprehensive ($2,999) includes everything plus a manual expert security review for maximum coverage. Each tier builds on the last.

Guard ($199/month) is our continuous monitoring subscription. It runs automated scans monthly, alerts you to critical vulnerabilities, and tracks your security posture over time. It's ideal for teams that ship frequently and want ongoing visibility into their security health rather than a one-time snapshot.

Yes. Our free scan gives you a high-level security overview of your repository — it's a great way to see the kind of issues we catch before committing to a paid audit. You can start a free scan from the homepage without even creating an account.

Your code is cloned into an isolated, ephemeral environment for scanning. We don't store your source code after the audit is complete — only the findings and report are retained. Scans run in sandboxed containers that are destroyed after each job.

Only you (and any team members you explicitly share with) can access your audit results. For packages with expert review, the assigned reviewer has access during their assessment. All data is encrypted in transit and at rest.

Yes. When you sign in with GitHub, you grant read access to the repositories you select. We only access the specific repo you submit for audit — nothing else in your account.