free for open source · no config required

The security reviewer your AI coding assistant doesn't have.

Gitsentry.dev installs as a GitHub App and watches every PR and push. When it finds a vulnerability, it posts a review comment with the exact line, the problem in plain English, and a concrete fix, right where your team already works.

Install GitHub App →View source
0
Repos protected
0
Issues caught
0
Critical vulns stopped
0
Scans run

AI code ships fast. Too fast to review.

Cursor, Copilot, and Claude Code let engineers move at 10× speed. But AI models have predictable security blind spots, missing auth checks, unvalidated inputs, hardcoded secrets, IDOR bugs.

Existing scanners aren't trained on these patterns. Gitsentry.dev is built specifically for the vulnerabilities AI coding tools introduce.

src/routes/users.js
// AI-generated — looks fine at a glance
router.get('/users/:id', async (req, res) => {
const user = await db.query(
`SELECT * FROM users WHERE id = $${req.params.id}`
);
// No ownership check — any user can fetch any ID
🔴 CRITICAL · IDOR · line 4

Findings land directly on your PR

No dashboards to check. No emails to ignore. The review comment shows up the moment your push lands.

gitsentry.devcommented just now

🔐 Gitsentry.dev Security Scan

Found 2 issues in this PR (1 critical, 1 high)

🔴 CRITICAL, Hardcoded Secret

File: src/services/payment.js · Line: 12

const stripeKey = "sk_live_abc123...";

Issue: Live Stripe secret key hardcoded in source. Anyone with repo access can use this key.

Fix: Move to process.env.STRIPE_SECRET_KEY and rotate the exposed key immediately.

Powered by Gitsentry.dev · View full report · False positive?

How it works

From install to first finding in under two minutes.

01

Install the GitHub App

One click. No config files. Gitsentry.dev gets read access to your diffs and write access to post comments.

02

Push code or open a PR

Gitsentry.dev receives the webhook, fetches the diff, and runs AI security analysis in the background.

03

Get findings as review comments

Findings appear directly on your PR or commit, with the exact line, the problem in plain English, and a one-line fix.

What Gitsentry.dev catches

Diff-aware checks plus adversarial sweep categories tuned for the patterns AI coding assistants introduce.

🔑
Hardcoded Secrets
API keys, tokens, passwords left in source code
🚪
Missing Auth
New routes or endpoints with no authentication check
💉
SQL Injection
User input concatenated directly into SQL queries
🔓
IDOR
User-supplied IDs fetched without an ownership check
📢
Verbose Errors
Stack traces or DB errors exposed to the client
⚠️
Unvalidated Input
User input passed to dangerous operations unsanitised
🚦
Missing Rate Limit
Auth endpoints or sensitive actions with no rate limiting
📁
Path Traversal
User input used in file system operations
🌐
XSS
Unsanitised user content rendered in HTML responses
↩️
Open Redirect
User-controlled redirect URLs
🧭
Auth Logic Abuse
Privilege escalation, session bugs, CSRF, and replay attacks
🧨
Advanced Exploit Chains
Race conditions, cache poisoning, and multi-step attack paths
📦
Supply Chain Risk
Vulnerable packages, unsafe imports, and dependency behavior
☁️
Infra Misconfig
CORS, missing headers, debug exposure, and cloud storage risks
MIT Licensed

Open source and self-hostable

Gitsentry.dev is built to be inspected, forked, and run on your own infrastructure. Audit the prompt, point the GitHub App at your webhook, and keep your findings in your Supabase project.

View source on GitHub →

Start catching vulnerabilities today.

One click to install. Works on every PR and push, immediately.

Install GitHub App, it's free →