Skip to content
Sebastion public security findings.Browse the research
FoundationMachines
AI code reviews, free for open-source projects

The code reviewer that takes security seriously.

A CWE-tagged review on every code change. Catches the supply-chain backdoor you'd have merged at 5pm on a Friday, plus the usual secrets and injection bugs. Free for public repos, forever.

Open ConnectOpen app
  • GitHub + GitLab
  • No credit card
How it works

One install. Security review on every PR.

Step 01

Connect your source host

Open app.foundationmachines.ai/connect and install once. Connect supports GitHub and GitLab SaaS.

Step 02

Security review runs on every PR

On open and push, Sebastion runs AI code audit plus dependency CVE and verified secret checks, then posts a fast walkthrough with pre-merge sanity checks.

Step 03

Fixes and blockers appear inline

Findings land on the exact changed line with severity and MITRE CWE context. Small patches include one-click suggestions; critical findings can block auto-merge.

Inline review

A security review, right where you merge.

Sebastion posts findings as review comments on the pull request, with the exact lines to change, before anything ships.

Open

feat: Adding chat generation #53417

lewiswigmore wants to merge 2 commits into main from lewiswigmore/feature

Sebastionbotreviewed 2 minutes ago
api/chat/route.ts
25export async function POST(req: NextRequest) {
26 const { userId, messages } = await req.json();
27 if (userId !== req.user.id) {
28 return NextResponse.json(
29 { error: "Unauthorized" },
30 { status: 401 },
31 );
32 }
33 const stream = await generateChat(messages);
SebastionbotCritical

Missing authorization check allows user impersonation. Add a user ID validation before processing requests.

CWE-862 · Missing Authorization View details
Product surfaces

Built for review workflows, not another dashboard

Security context appears where developers already approve changes.

Code context

Diff-aware findings, not generic lint noise.

Sebastion reviews the changed lines in context, then posts CWE-tagged findings with fix suggestions when the patch is small and safe.

Learning loop

Teach once, reuse on future audits.

Reply @sebastionai in-thread to clarify intent or suppress noisy checks. AGENTS.md and related instruction files are reused from your base branch.

Workflow surfaces

Security in PRs first, dashboard second.

Walkthroughs and pre-merge checks land in PR/MR threads with inline findings. Pro and Team can also publish SARIF to the GitHub Security tab.

Ecosystem

No team secures AI code alone.

Sebastion plugs into the source hosts, AI tools, and frameworks your team already ships with, then applies framework-aware checks across the whole stack.

Source hosts
AI coding tools
Frameworks
  • GitHub
  • GitLabAzure DevOps
  • BitbucketClaudeOpenAI
  • CodexGitHub CopilotCursorJavaScript
  • TypeScriptPythonGoRustNext.js
Product preview

Open a sample PR folder to see issue context and fixes.

Illustrative examples of the kind of PR/MR guidance Sebastion posts inline before merge.

Deployment token committed in OAuth callback helper.

Reviewer context for PR #218: this branch introduces a new login callback route. The fix keeps rollout behavior while preventing future secret exposure in source.

Issue summary

A hardcoded `DEPLOY_TOKEN` was added while debugging OAuth callback failures. Anyone with repository read access can reuse it to trigger production deployments.

Suggested fix

src/auth/callback.ts
40 // Resolve the deployment token for this callback.
const deployToken = "fmdeploy_live_8f3a91c4e7b2";
41 const deployToken = process.env.DEPLOY_TOKEN;
42 if (!deployToken) throw new Error('DEPLOY_TOKEN is required');

Move the secret to environment configuration, remove the committed value from git history if it was real, and rotate the token immediately.

By the numbers

What every code review gets.

Four review surfaces, one inline thread per finding, free forever on public repos.

5
Review surfaces per PR
<30s
From push to first comment
Inline
Findings on the offending line
Free
Forever on every public repo
Pricing

Pick a tier, not a model.

Free for public repos. Pro is $19/mo for one developer. Team is pay-as-you-go with credit packs, with unlimited users and repos.

Free
$0forever

For solo developers and OSS maintainers shipping in public.

  • Public repos only
  • Walkthrough + pre-merge checks on every PR
  • Inline security review with CWE-tagged findings
  • OSV.dev CVE detection + secret scanning
  • Up to 50 PR audits / repo / month
Try for free

Pro
$19/ month

For 1 developer working in private repos.

  • Private repos
  • Autofix PR drafts on critical findings
  • Higher-reasoning frontier model
  • Unlimited audits
  • Inline SARIF in GitHub Security tab
Try for free

Team
Pay-as-you-go

For any size team. Pay only for the AI work you actually run.

  • Everything in Pro
  • Unlimited users and repos
  • Shared credit balance across all projects
  • Auto-recharge + spend cap with 24h override
  • Per-PR cost receipts (opt-in)
Try for free

Open source

Trusted OSS projects where Sebastion is already shipping.

Merged pull requests from Sebastion across widely used open-source repos.

Compared to

Where Sebastion fits among the AI tools you already use.

Most AI-for-code tools help you write code faster. Sebastion is the counterweight: an autonomous reviewer that reads every PR and flags exploitable bugs before they ship.

Catch security bugs before merge.

Open Connect, choose your source host, and review your next pull or merge request in under a minute.

Open ConnectOpen app
  • GitHub + GitLab
  • No credit card