Install once. Sebastion runs three scanner classes on every PR — stack-aware AI SAST, regex-based secret detection, and OSV.dev SCA — and posts findings as inline review comments tagged with severity and CWE id, with a concrete fix. Free for public repos.
Cloning repository at PR head…
Sebastion is not a model — it is an agent. It composes deterministic scanners (OSV-Scanner) with frontier-model reasoning (Claude) to turn diffs into actionable security findings.
Sebastion knows your stack — Django, FastAPI, Flask, Next, Express, Go, Spring, Rust — and applies the framework-specific vulnerability checklist on every PR. Catches injection, broken auth, insecure crypto, unsafe deserialisation, SSRF, path traversal and the long tail of OWASP Top 10 issues with the diff as context.
Regex-based detection for AWS access keys, GitHub PATs (classic + fine-grained), OpenAI / Anthropic / Stripe / Slack / Google API keys, JWTs (with header validation), and private-key blocks. Diff-additions only, with EXAMPLE / placeholder filtering to keep the false-positive rate low.
When `package.json`, `requirements.txt`, `go.mod`, `Cargo.toml`, `Gemfile.lock` or any supported manifest changes, Sebastion queries OSV.dev for known CVEs against the new versions. Real CVE ids, NVD advisory links, and concrete fix versions land as findings on the same PR.
Findings post as line-level review comments on the offending change, tagged with severity emoji and a MITRE CWE link. Critical findings flip the review to CHANGES_REQUESTED so the PR is blocked from auto-merge. No new dashboard to learn, no email digest, no separate scanner repo.
Same pipeline on every push. Re-runs incrementally when you push a fix, so the issue body stays in sync with HEAD.
One click on github.com/apps/sebastionai. Sebastion gets scoped, short-lived read access to the repos you choose. No PATs, no SSH keys, no seat invitations.
On every PR event, Sebastion fetches the diff via the GitHub API and routes it through the three scanners in parallel. No code clone, no source persisted, ephemeral execution.
Stack-aware AI audit (Claude Sonnet 4.6 on Free, Opus on Pro+) for SAST. OSV.dev for SCA on any manifest changes. Regex-based secret detection over diff additions. Findings are merged, deduplicated and severity-sorted.
Findings land as inline review comments on the offending lines, each with severity, rule id, CWE link, and a concrete fix. Critical findings set the review to CHANGES_REQUESTED. Re-runs on every push, never blocks merge if no critical findings exist.
Each tier wires Sebastion to the right model for the job. Routed via OpenRouter so we can swap the underlying provider without changing your install.
Public repos, stack-aware AI, OSV CVEs + secret scan.
Powered by Claude Sonnet 4.6.
Install on GitHubPrivate repos, Opus reasoning, autofix PR drafts.
Powered by Claude Opus 4.7.
Multi-org, custom rules, multi-model cross-check.
Opus 4.7 + cross-check across vendors.
Self-host runner inside your VPC, SSO, SOC 2, SLA.
Best frontier models on request.
Talk to usFull feature comparison and per-developer billing details on the pricing page.
Sebastion installs in a click and reviews every PR from a contributor. No new build step, no separate scanner repo, no badge fatigue. Public repos are free forever.
AI codebases ship fast and the model writes a lot of the diff. Sebastion is the second pair of eyes that doesn't get tired — calling out the SQL injection, the leaked key, the vulnerable dep, before anyone hits squash and merge.
Enterprise tier runs the audit runner inside your VPC, with SSO/SAML, an audit log of every Sebastion action, a signed DPA and SOC 2 attestation. The same auditor, on infrastructure you control.
Sebastion never persists your source. PR diffs are fetched via the GitHub API, routed through scanners, and discarded as soon as the audit completes. We never train models on your data and no-train flags are set on every upstream request that supports them.
Install Sebastion on your GitHub org and review your next pull request in under a minute. Free for every public repo.