Every check we run on every push

Known vulnerabilities in your npm lockfile

Parses package-lock.json from the pushed commit, batches every dependency through the OSV.dev vulnerability database, classifies findings by CVSS severity (CRITICAL / HIGH / MEDIUM / LOW), and links each one to its CVE record.

Source

OSV.dev (open-source vulnerability registry, maintained by Google)

Output

Per-CVE entries: package, version, vuln ID, severity, summary

Gating

CRITICAL findings can fail merge gates (Policy Studio, soon)

Qualys-style A+/F grade for your production hostname

Triggers a Qualys SSL Labs scan against the host configured per-project. Grades certificate chain, protocol versions (TLS 1.0/1.1 deprecation), cipher suites, HSTS, OCSP stapling. Results cached 24h to dodge SSL Labs rate limits.

Source

Qualys SSL Labs API + 24h cache in our DB

Output

Letter grade (A+ … F, plus T/M for trust/mismatch failures)

Risky patterns in your CI/CD workflows

Reads every YAML in .github/workflows/ via authenticated Contents API. Pattern-matches dangerous constructs: unpinned actions (@main / @master), pwn requests on pull_request_target, secrets in inputs, `curl | sh` from external hosts, hardcoded credentials.

Source

GitHub Contents API + curated rule set

Output

Risk score 0-100, severity-weighted findings, overall risk badge

HTTP header hygiene against OWASP baseline

HEAD/GET request to your hostname, evaluates Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. Each header weighted; total → letter grade.

Source

Live HTTP probe against the configured host

Output

Per-header status (good / weak / missing) + how-to-fix snippets

Copyleft / restrictive licences in your dependency tree

For the first 30 unique packages in the lockfile, queries registry.npmjs.org for the published licence. Classifies into ok (MIT/Apache/BSD/ISC) / low / medium (MPL/LGPL/EPL) / high (GPL/AGPL/SSPL/BUSL).

Source

npm registry (license field of /latest manifest)

Output

Risky-package table, summary counts, audit-ready legal note

Claude reads the diff, finds what regex misses

The actual commit diff (not just the lockfile) is sent to Claude with a security-engineer system prompt. Detects logic flaws, auth bypasses, injection sinks, secret-leak patterns, broken access control. Each finding includes a "Suggest fix" button that triages true vs likely-false-positive before recommending code.

Source

Anthropic Claude (Haiku/Sonnet/Opus per org tier or BYO key)

Output

Risk score, category-tagged findings, AI-written executive summary

Gating

CRITICAL Guardian findings can fail merge gates (Policy Studio, soon)

Show exactly which dependencies entered or left this commit

Generate CycloneDX-format SBOM per commit, diff against the previous commit on the branch. Highlights added/removed/upgraded packages and their associated CVE delta. Catches "we added 47 new transitive deps" reviews where humans glaze over.

Source

Generated locally from lockfiles + cached OSV results

Output

Added / Removed / Upgraded tables with CVE delta

Catch leaked keys before they hit a public branch

gitleaks-equivalent rule set across the diff and (optionally) the last 100 commits. Cross-references hits against Vault Shield: if the leaked secret matches a vaulted prefix, it triggers automatic rotation in the same response.

Source

Diff + Contents API + Vault SHA-256 prefix index

Output

Leaked-secret findings with auto-rotate trigger

Terraform / CloudFormation / Kubernetes posture checks

Run policy-as-code (OPA/Rego) against any IaC files in the diff. Catches public S3 buckets, IAM wildcards, missing encryption, privileged pods, hostNetwork, etc.

Source

Built-in rule packs (CIS, NIST) + bring-your-own Rego

Output

Resource-by-resource posture score, per-control verdict

Scan every Dockerfile / image referenced in the repo

Build the image (or pull a published tag), run Trivy/Grype against the resulting layer set. Reports OS-level CVEs, language-specific CVEs, secrets baked into layers, and base-image age.

Source

Trivy DB + base-image registry

Output

Per-layer CVE breakdown, critical-base-image alerts

Block install of malicious public packages shadowing your private ones

Detects internal package names that ALSO exist on public npm with a higher version — the canonical dep-confusion attack vector. Cross-references your scoped packages against the public registry on every push.

Source

npm registry + your private scope list

Output

Conflict alerts with severity (exact match / typo-squat / shadow)

Know within minutes if any of your secrets land on GitHub or paste sites

Subscribe to GitHub secret-scanning alerts API for your org + poll public leak feeds. Cross-reference with Vault Shield — leaked vaulted secrets trigger auto-rotate without waiting for a push.

Source

GitHub secret-scanning API + leak-feed integrations

Output

Real-time leak alerts with one-click rotate