// product · security scans

Security review for
every merge request.

One side of the repository-aware review system: vulnerabilities, broken fixes, and exploitability — analyzed with repository context and historical decisions, not generic signatures.

Reasoning, not pattern matching

Each finding is grounded in your repo: framework, surrounding files, and history. Not a generic regex match.

⚑

Verdicts you can gate on

pass / warn / fail — block risky merges in CI, surface the rest as comments on the diff.

∎

Per-repo memory

Mark a finding as accepted once — same pattern stops failing future scans on that repo.

What it catches

Backend, frontend, and infra-as-code, with bias toward what's actually exploitable in your stack:

Hard-coded secrets, expired or weak tokens, leaking .env values
SQL/NoSQL injection, SSRF, command injection — including across-file flows
Broken authn/authz checks, missing rate limits on sensitive endpoints
Insecure crypto, weak hashing, predictable randomness
Container/Helm/Terraform misconfigs that quietly widen blast radius

How it integrates

Wire a repository with a personal access token — webhook is registered automatically:

GitLab (cloud + self-hosted) — push, MR open/update, manual
GitHub (cloud) — push, PR open/sync, manual
CI mode — drop a one-line call into your pipeline, exit code = verdict
Inline comments on the MR/PR diff for every finding
Slack notifications on fail / warn verdicts (optional)
MCP server — read security profiles and manage suppression rules via Cursor or any AI agent

Built for compliance evidence, not just dashboards

Every scan persists a timestamped record: who triggered it, the commit, the verdict, the rationale, and any acceptance decisions. That's the audit trail SOC 2 (CC7.1, CC8.1), ISO 27001 (A.14.2), and PCI-DSS 6.3 ask for — already assembled by the time the auditor arrives. CodeGuards doesn't grant certifications (only auditors do), but you stop scrambling to build the paper trail two weeks before the review.

What CodeGuards remembers

Accumulated project knowledge per repo — suppressions, conventions, fixes and exceptions your team already decided. CodeGuards applies that history on the next diff.

✓ accepted suppressions

✓ architecture conventions

✓ historical fixes

✓ repository structure

✓ known exceptions

✓ team decisions

Used in active engineering workflows

2,000+

code changes reviewed monthly

49+

repositories analyzed

130+

adversarial tests

~9s

median feedback

Start free. 14 days, one workspace, one repo, full detection library. No card required, no auto-renewal.

Start reviewing code

Looking for the style / quality / best-practice side instead of vulnerabilities? Code review →

Security review forevery merge request.