AI-Native SAST
The SAST that understands the data flow, not just patterns.
Classic static analysis matches patterns and drowns you in false positives. Our SAST does something else: a deterministic engine traces the data flow from source to sink, then an LLM agent re-reads the code to decide exploitability and crush false positives before they land in your backlog. Every finding comes with its taint chain, a plain explanation and a readable remediation, in an editable report. This is the core of the SecAI platform, built by an OSWE-certified pentester and hosted in the EU. Pre-launch product: we only describe what already runs today.
- Source to sink
- Multi-file taint tracking, not a pattern on a line
- AI agent triage
- False positives cut before they reach your backlog
- 14 languages in depth
- Sources, sanitizers and sinks, plus 5 in light support
Fonctionnalités
Tout ce qu'il faut pour sécuriser, sans le superflu.
Contextual taint-based SAST
We trace the data flow from the source up to the sensitive sink, across functions and files, not just a pattern on a single line. Every finding shows its source to sanitizer to sink chain, so you can see why it was flagged. Real depth on 14 languages: Python, JS/TS and Java first, then Go, PHP, Ruby, Kotlin, C, C++, C#, Rust, Swift, Scala and Bash.
Agent verification, fewer false positives
A deterministic pre-pass (tree-sitter + taint) discards cases with no source or already sanitized before any model call. On top of that, a LangGraph agent re-reads the code through AST analysis tools to confirm or dismiss what remains. You triage what matters, not a dump of alerts.
Prioritisation by real exploitability
The agent decides exploitability instead of spitting out an isolated CVSS score. A reachable, chainable finding rises to the top, a dead case or one already covered by a sanitization step sinks to the bottom. You fix what an attacker actually reaches, not a list sorted by theoretical severity.
Readable explanation and remediation
Every finding comes with its taint chain, a plain-language explanation of the flaw and a concrete remediation. On applicable cases, SecAI can open a PR (GitHub) or an MR (GitLab) that applies the fix in place, or drop a patch in .secai/fixes/. The fix goes through your usual review before merge, nothing is applied behind your back.
Plugged into GitHub, native SARIF
A GitHub App plus a GitHub Action with SARIF export, severity gate and PR comment: findings land where the code changes, not in a dashboard read too late. GitLab is supported as a source (comments and MR opening). Jenkins, self-hosted runners and other CI go through the secai CLI (SARIF/JSON output).
Editable reports, continuously
Editable HTML report, server-side SARIF export and Slack, webhook or email notifications on every scan. Analysis runs on push, PR and on a cron schedule, so static coverage does not stop between two audits. Final human validation remains the work of our pentesters, a separate offering that SecAI extends, not replaces.
Comment ça marche
Du setup à la première alerte.
- 01
1. You connect your repository
GitHub via the GitHub App, GitLab via OAuth or token. Read-only access, scope limited to the repositories you tick. No fork, no commit pushed into your code without your action. Data deletion on request, encryption at rest.
- 02
2. Taint follows your data flows
Tree-sitter spots the sensitive sinks, the taint engine walks the source to sink chain, inside a file then across files and modules. The deterministic pre-pass discards unreachable or already sanitized cases before calling the LLM. Every finding shows its full taint chain: you see why it was flagged, not an opaque verdict.
- 03
3. The agent decides exploitability
A LangGraph agent re-reads the code around each candidate with AST inspection tools, confirms the real cases, kills the false positives and ranks what remains by real exploitability. The scan runs on every push or pull request and on a cron schedule, so static coverage does not stop between two pentests.
- 04
4. Report, remediation and CI/CD
Editable HTML report with explanation and remediation, native SARIF export for GitHub Code Scanning, PR or MR comments, Slack alerts, webhook or email. The GitHub Action sets a configurable severity gate in your pipeline. GitLab, Jenkins and self-hosted runners go through the secai CLI. Final human verification remains the business of our OSWE pentests, a separate offering.
Bénéfices
L'impact concret pour vos équipes.
A SAST that stops drowning devs
The pre-pass runs deterministically first: tree-sitter spots the sinks, the taint engine walks the source to sanitizer to sink chain. Anything with no attackable source or already sanitized is discarded before the slightest model call. Only the cases that survive go to the LLM verifier, which triages them to cut false positives. Your developers see the full data chain in the interface, not an opaque verdict, and stop closing tickets as won't fix.
Context decides, not the pattern
A pattern-based SAST does not know whether the input is really attacker-controlled, nor whether a sanitization step neutralises it along the way: it flags, you triage by hand. Here, the agent reads the code around the finding, follows the data and decides exploitability. Two identical lines get two different verdicts if the context differs. That is what drops the noise: the decision is about the real flow, not a regex.
From finding to fix, without switching tools
Every finding is ready to handle: visible taint chain, plain explanation, proposed remediation. When the fix is applicable, SecAI opens a PR or an MR directly, otherwise it drops a patch. Editable HTML report, Code Scanning-compatible SARIF export, Slack, webhook or email notifications: everything comes out of the same place, without stacking three tools that don't talk to each other.
Pourquoi own2pwn
Ce qu'on fait différemment.
AI to triage, not to chat
The pre-pass is deterministic: tree-sitter spots the sinks, the taint engine walks the data flow to its destination. This step consumes no validation and discards cases with no source or already sanitized before any model call. Only the candidates that survive go to the LLM verifier, which kills the false positives. No chatbot, no opaque verdict: every finding shows its taint chain, so the reason for the flag.
Prioritised by what an attacker reaches
A useful SAST does not hand back a list sorted by theoretical severity. The agent decides exploitability from the code: what is reachable, what is chainable, what gets neutralised along the way. The ranking starts there, not from an isolated CVSS. You spend less time triaging and more time fixing what actually matters.
Built by an OSWE pentester
This SAST does not come out of a data team. The detection and prioritisation logic comes from real exploitation: what an attacker actually reaches, what deserves a fix, what can be deduced from the code alone. The OSWE certification is precisely about exploiting white-box application vulnerabilities, exactly where SAST plays out.
Hosted in the European Union
Your code is stored in the EU (Germany), encrypted at rest, with GDPR purge on request. For analysis, it is sent to Anthropic's Claude models served through Google Cloud Vertex AI in a European region: neither Google nor Anthropic uses your data to train their models. A CISO keeps a clear processing chain to document, without a three-week legal review.
Des tarifs lisibles, sans surprise.
- 2 repositories
- Unlimited deterministic pre-pass (SAST, SCA, IaC, secrets)
- 20 AI validations / month, up to 10 scans per day
- Scans on push/PR and cron-scheduled
- HTML report and SARIF export
- Community support
- Unlimited repositories
- 250 AI validations / month, up to 200 scans per day
- LLM agent verification and attack-path correlation
- GitHub App, SARIF Action, severity gate and auto-fix PR/MR
- Slack, webhook and email notifications
- Extra validation at €0.30 (pay-as-you-go), up to 5 users
- Unlimited repositories
- 750 AI validations / month
- SSO / SAML and RBAC
- Priority analysis queue
- Extra validation at €0.30 (pay-as-you-go)
- Up to 15 users
- Negotiated validation volume
- SSO / SAML / SCIM, audit logs
- Self-hosted runner, dedicated deployment
- Stronger SLA, compliance support (GDPR, ISO, SOC 2)
- Coupling with own2pwn pentests and EASM
Questions fréquentes
Ce que vous voulez probablement savoir.
Parlons de votre besoin.
Démo, devis ou question technique : réponse sous 48 h ouvrées.