One workspace, two products: the operational case for bundling Security scans with Code review

What you actually pay

Both products are priced the same way on their own: a flat monthly base that covers the platform — webhook hosting, the dashboards, the audit trail, the suppression engine — plus €0.50 per completed run. Failed runs are never billed. There are no seat fees and no per-repo upcharges.

On the bundle, the per-run line gets one twist: when both pipelines fire on the same diff, that's a "combined run" and bills as €0.75 once, not 2 × €0.50 = €1.00. If a repo on the bundle has only one product enabled, that single run still bills at €0.50 — same as the standalone plan.

Why a combined run is cheaper than two separate ones

The base discount is easy to explain — one workspace, one onboarding, one Stripe customer, one audit subscription. We're not running the platform twice for a customer who takes both products. That saving rolls into a single discounted base.

The combined-run discount is the more interesting half. A standalone product carries the full overhead of one pipeline alone: the LLM context construction per run, the diff line mapper, the suppression engine, the SCM adapter pool. When both pipelines fire on the same diff at the same time, several of those costs are shared between the two:

• SCM connection & diff fetch. One pull from GitLab/GitHub, one rate-limit hit, one diff parsed. Both pipelines reuse it.
• Repo context cache. The repository structure is read once and consumed by both reasoning passes inside the same run window.
• Suppression engine. The fingerprint store and category-path index are queried in one pass for findings and remarks.
• Audit log writer. One write path produces the records for both products in the same row group.

None of those is dramatic in isolation. Together, on a combined run, the per-run cost we're absorbing for the second pipeline is roughly half what it would be standalone. The €0.75 vs €1.00 reflects that — saving shared back, not kept. Critically: this only applies when both pipelines fire on the same diff. If only one product is enabled on a given repo, or only one fires on a given event, the run bills at the regular €0.50.

Where the bundle breaks even

The base discount alone (€89/mo less than two standalone plans) is recovered the moment your team's mix of repos and runs has any meaningful overlap of both products. The combined-run discount compounds it. On 200 PRs/mo where both pipelines fire, that's a further €50 saved (200 × €0.25). On 1,000 PRs/mo, €250.

If you've been weighing two separate vendors — a SAST tool and a code-quality bot, say — the comparison shifts dramatically. Two vendors at, say, €250/mo each plus seat fees for, say, ten engineers, is north of €600/mo before you've reviewed a single PR. CodeGuards bundle, with no seat fees, breaks even on volume: on 200 combined runs/mo the all-in is €289 + 200 × €0.75 = €439. On 1,000 combined runs/mo, €289 + €750 = €1,039. Above 2,000 runs the volume tier kicks in and the per-combined-run rate drops further.

The non-monetary case is bigger than the monetary one

Past the invoice math, the operational case for one workspace over two is the part most teams notice first.

• One audit trail, one shape. Every scan and every review writes records in the same shape — what was checked, the verdict, the findings or remarks, the suppressions accepted, who clicked them. When the auditor asks for change-management evidence, it's one export, not two formats stitched together.
• One dashboard. Both pipelines surface side-by-side on the workspace report. Tech leads see which repos introduce the most risk and which drift the most off the agreed architecture in the same view.
• One Stripe invoice. Finance handles one line item per month, not two.
• One suppression model. The "Suppress" button works the same on a security finding and a code-review remark. Engineers learn the gesture once.
• One per-repo enablement toggle. Pick which products run on which repos in one place. Run scans on the public-facing API, reviews on the design system, both on your monolith — without juggling two SaaS dashboards.

What stays out of the bundle

The bundle is a pricing wrapper, not a feature wrapper. Every capability of each product is the same whether you take them standalone or together. There is nothing held back in "enterprise tier" because we don't have one — high-volume customers move to the volume tier (≥ 2,000 reviews/month, lower per-run rate) on the same self-serve workspace, with the same surface, plus a DPA and an auditor-ready evidence export.

What is not bundled: anything we don't sell. There are no IDE plugins, no dependency-scanning tier, no IaC scanner add-on, no per-engineer license waiting to be unlocked. The product is exactly what's on the two product pages. The bundle just makes both of them slightly cheaper to run together than apart.

How to think about it

If your team only cares about vulnerabilities and doesn't want quality remarks on PRs, take Security scans alone — €189/mo + €0.50/run. If your team has a code-review-bot habit and the security scanner is somebody else's problem, take Code review alone — same shape. If you want both halves of "is this diff safe to merge?" handled in one workspace with one audit trail, the bundle is set up to be cheaper on the base (€89/mo discount) and on every PR that gets both reviews (€0.25 saved per combined run vs running them separately).

Full breakdown on the pricing page. The two product pages live at Security scans and Code review.