Security scanning

Ship code that's been reviewed for security — on every pull request.

docs-keeper reviews each change for common vulnerability classes the moment a PR opens — and drafts the fix for you to approve. No new dashboards, no agents to babysit. It runs inside the GitHub workflow your team already uses.

Start freeSee pricing

Every pull request, reviewed for vulnerabilities — before it merges.

docs-keeper reads each diff for leaked secrets, injection, and unsafe patterns — then drafts the fix as a pull request you review. A security-minded teammate on every change.

routes/users.ts+4
router.get('/users/:id', async (req, res) => {
+ const id = req.params.id;
+ const q = "SELECT * FROM users WHERE id = " + id;
+ const rows = await db.raw(q);
+ res.json(rows);
});
docs-keeper · securityreview
HighSQL injectionCWE-89

routes/users.ts:3

User input is concatenated into the SQL string, letting an attacker alter the query.

Fix · Use a parameterized query: db.raw('… WHERE id = ?', [id])
Fix PR #128 opened

you review every fix — nothing merges automatically

How it works

Step 1

Detect

On every pull request, docs-keeper reads the diff with deterministic rules and a semantic review — looking only at what changed.

Step 2

Review

Findings are posted as a check and a comment on the PR — severity, file and line, the weakness class, and a clear recommendation.

Step 3

Fix

For issues it can safely patch, docs-keeper drafts a fix PR against your branch. You review and merge it — nothing happens automatically.

What it catches

1 critical6 high3 medium

A hybrid of high-precision rules and a semantic review covers the vulnerability classes behind the OWASP Top 10. Every finding arrives with evidence — the exact file and line, the CWE identifier, the risk, and a recommended fix:

criticalCWE-798

Hardcoded secret committed

src/config.ts:8

A live AWS key pushed in plaintext — exposed to anyone with repo access.

highCWE-89

SQL injection

routes/users.ts:42

User input concatenated into a query, letting an attacker rewrite it.

highCWE-78

Command injection

lib/exec.ts:19

A shell command built from request data — remote code execution risk.

highCWE-79

Cross-site scripting (XSS)

views/profile.tsx:31

Unescaped user HTML rendered to the page, running attacker script.

highCWE-862

Broken authorization

api/orders.ts:23

An endpoint missing an ownership check — users can read others’ data.

highCWE-918

Server-side request forgery

webhooks/send.ts:28

An outbound URL taken straight from the request body (SSRF).

highCWE-502

Insecure deserialization

api/import.ts:54

An untrusted payload deserialized directly into objects.

mediumCWE-327

Weak cryptography

auth/hash.ts:12

Passwords hashed with MD5 — trivially crackable today.

mediumCWE-295

Disabled TLS verification

client/http.ts:7

Certificate validation switched off, opening the door to MITM.

mediumCWE-22

Path traversal

files/read.ts:16

A user-supplied path joined without sanitizing ../ sequences.

Detection classes shown with illustrative locations. Coverage is broad, not exhaustive — see what it is and isn’t below.

What it is

  • An automated security review on every pull request.
  • A catch for common, high-impact mistakes before they merge.
  • A draft fix you review — never an automatic merge.

What it isn't

  • A penetration test or a guarantee of complete coverage.
  • A replacement for a security team or a formal audit.
  • A reason to skip your own review — it assists, it doesn't decide.

Turn on security review for your repos

Connect a repository and docs-keeper reviews the next pull request automatically. Included on every paid plan.

Start freeCompare plans