Securie for GitHub — auto-scan every pull request

What it does

Reads your code at pull-request time. Runs the relevant specialists (Supabase RLS, broken auth and access control, leaked secrets, plus AuthAuthz applied to Next.js middleware patterns) and the RAG-guard prompt-injection defence against the diff. Reproduces each exploitable finding in a sandboxed Firecracker VM that boots your app. Writes the patch as a PR comment with context (`Vulnerability reproduced: line 42 allows unauthenticated access to <table>. Commit this suggestion to fix`). Checks itself by running the exploit against the patched code. If regression tests pass, the finding ships as a one-tap merge.

When to use it

Best fit: any team shipping to Vercel / Supabase / Next.js that reviews at least one PR per week. Works well for solo founders (as a second pair of eyes) and for teams of 5–50 engineers (as a pre-merge gate). Less useful if you already have a dedicated AppSec team running Snyk + CodeQL + Semgrep at scale — in that case Securie complements rather than replaces.

Limitations

Managed rollout. Current coverage is strongest for TypeScript / JavaScript on Next.js + Supabase. Other languages and frameworks receive baseline review until deeper specialists are enabled. Sandbox verification adds 5–30 seconds per exploitable finding to total PR time; clean PRs see the static-analysis latency only (~60 seconds).

Install

1. Visit github.com/apps/securie when your repo is enabled
2. Click Install, pick the repositories you want Securie to watch (all or per-repo)
3. Grant the requested scopes (read code, write PR comments, read metadata)
4. Push any commit — findings appear on the PR within 60–180 seconds
5. Click 'Commit suggestion' on any fix PR comment to merge

Listed on