Securie for GitHub — auto-scan every pull request

What it does

Reads your code at pull-request time. Runs the relevant specialist scanners (Supabase RLS, Next.js middleware, leaked secrets, broken access control, prompt injection) against the diff. Reproduces each exploitable finding in a sandboxed Firecracker VM that boots your app. Writes the patch as a PR comment with context (`Vulnerability reproduced: line 42 allows unauthenticated access to <table>. Commit this suggestion to fix`). Checks itself by running the exploit against the patched code. If regression tests pass, the finding ships as a one-tap merge.

When to use it

Best fit: any team shipping to Vercel / Supabase / Next.js that reviews at least one PR per week. Works well for solo founders (as a second pair of eyes) and for teams of 5–50 engineers (as a pre-merge gate). Less useful if you already have a dedicated AppSec team running Snyk + CodeQL + Semgrep at scale — in that case Securie complements rather than replaces.

Limitations

Pre-launch; not installable today. Launch coverage is TypeScript / JavaScript on Next.js + Supabase. Other languages and frameworks are post-GA. Sandbox verification adds 5–30 seconds per exploitable finding to total PR time; clean PRs see the static-analysis latency only (~60 seconds).

Install

1. When live: visit github.com/apps/securie
2. Click Install, pick the repositories you want Securie to watch (all or per-repo)
3. Grant the requested scopes (read code, write PR comments, read metadata)
4. Push any commit — findings appear on the PR within 60–180 seconds
5. Click 'Commit suggestion' on any fix PR comment to merge

Listed on