Vulnfrog

Catch and fix vulnerabilities before they ship.

Vulnfrog reviews pull requests for real, exploitable bugs and writes the fix for you. Live in minutes, no config needed.

Try for free See how it works

14-day free trial · Cancel anytime

vulnfrogBotcommented now···

Critical: Broken access control in get_invoice

This route returns an invoice by id but never checks it belongs to the requester, so any logged-in user can read anyone's invoices.

@app.get("/api/invoices/<invoice_id>")
def get_invoice(invoice_id):
    invoice = db.get_invoice(invoice_id)
    return jsonify(invoice.to_dict())

Why this matters

There is no pattern for a scanner to flag here, the code looks fine. An attacker just increments invoice_idto read other customers' billing data.

Detected by Vulnfrog AI security review

peypey025commented nowAuthor···

Good catch! @vulnfrog fix critical vulns please

👀1

vulnfrogBotcommented now···

Fix applied: enforce invoice ownership

Added an ownership check before the invoice is returned. The route now responds with a 403 when the record does not belong to the caller, so incrementing invoice_id no longer leaks other customers' data.

@app.get("/api/invoices/<invoice_id>")
def get_invoice(invoice_id):
    invoice = db.get_invoice(invoice_id)
    if invoice.user_id != current_user.id:
        abort(403)
    return jsonify(invoice.to_dict())

Patch validated and committed

🎉1

The security copilot for devs who ship fast

An in-depth security review on every PR

Every pull request gets reviewed the moment you open it, catching the subtle, exploitable bugs that slip past linters and human reviewers alike.

Finds insecure code, leaked secrets and vulnerable dependencies
Catches logic flaws that pattern scanners miss
Flags only what your PR introduced

vulnfrogBotcommented now···

This PR introduces 3 security findings: 1 critical, 2 high.

critical

SQL injection in find_account via string-formatted query

account_tools.py:21

high

OS command injection in ping_host (shell=True)

account_tools.py:33

high

Hardcoded API token committed to source

account_tools.py:17

Fixes, not just findings

Every finding comes with a concrete patch and a confidence score. Vulnfrog writes the diff and opens the fix PR for you.

Ready-to-merge patches
Confidence score on every fix
Opens a fix pull request

criticalSQL injection

Confidence 96

Suggested fix

-query = "SELECT * FROM accounts WHERE id = '%s'" % user_id

+cur.execute("SELECT * FROM accounts WHERE id = ?", (user_id,))

GitHub Native

Vulnfrog shows up as a status check and a PR comment, gating risky merges and staying out of your way on clean ones.

Status checks block risky merges
Inline PR comments your team already reads
Rescans on every push, plus a daily full-repo scan

All checks have passed3 successful checks

Vulnfrog Security Scanpassed in 19sDetails

buildpassed in 1m 02sDetails

testspassed in 2m 14sDetails

Live in three steps

From zero to reviewed PRs in under five minutes. Seriously.

Install the GitHub App

One click, pick your repos. No CI config, no YAML, no scripts.

Open a pull request

No change to how you work. Open a PR like always, and Vulnfrog reviews it automatically.

Get a review and a fix

Findings land as a PR comment and a status check, each with a ready-to-merge fix.

Real scanners, sharpened by AI.

Our custom security harness pairs scanners with AI judgment, so every finding is worth fixing.

Scanner precisionAI judgmentEvidence-backed findings

Your whole security posture, at a glance

Every repo, every finding, trending over time, so you always know where you stand.

Vulnfrog

Usage 12%Credits $20.00

Acme Inc

Security Dashboard

1 high severity finding needs your reviewView findings

Critical

High

Medium

Low

Info

8findings↓ 32 vs 7 days ago

LIVE

Last 7 days

Top finding types

Last 7 days

Injection14
Cryptographic Failures9
Security Misconfiguration7
Broken Access Control5
Authentication Failures3

Recent scans

View all

acme/payments-api
feat/apple-pay · PR #128
0 findings
2 minutes ago
acme/web
main
1 finding
1 hour ago
acme/auth-service
fix/jwt-rotation · PR #91
0 findings
3 hours ago

Repositories

View all

acme/web
main
5
acme/payments-api
main
2
acme/auth-service
main
1

We take your trust seriously

Deleted when the scan ends

Repo is cloned into an isolated, ephemeral workspace, then deleted the moment the scan ends, even on failure.

We keep the minimum

Just the path, the affected lines, and a short snippet, never your full source. Detected secrets are redacted first.

Least-privilege access

A scoped GitHub App with only the permissions needed to review PRs and open fixes.

Never retained or trained on

Code we send to our AI provider is processed transiently, never retained or used to train its models.

Launch deal: 25% off your first month

Simple, transparent pricing

	Indie $16/mo	Most popular Standard $30/mo	Pro $60/mo
Repositories	1 repo	5 repos	15 repos
Usage limits*	Baseline ~400 PR reviews/mo	2x baseline ~800 PR reviews/mo	4x baseline ~1,600 PR reviews/mo
Additional usageCharged only after your plan's baseline usage is used up, and only if you enable additional usage.	10¢ / scan	10¢ / scan	10¢ / scan
AI PR reviews
AI vulnerability fixes
Secret scanning
Dependency scanning
Push scans
Daily scans
	Get started	Get started	Get started

*Usage estimates are based on internal testing with ~200-line PRs. Actual usage varies with PR size and complexity. Daily scheduled scans don't count against your monthly usage limits.

Frequently Asked Questions

The things teams ask before pointing us at a private repo.

Do you store my code?

Your repository is cloned into an isolated, ephemeral workspace, scanned, and deleted the instant the scan finishes, even if it fails. Findings keep only the file path, the affected lines, and a short matched snippet, never your full source.

What do you keep about a finding?

The file path, line numbers, severity, fix guidance, and the short snippet that triggered the finding, never your full source. Any detected secrets are redacted first.

Does my code leave my own infrastructure?

During review, the relevant code is sent to our AI provider for analysis. It's processed transiently in memory, never stored, retained, or used to train models.

What GitHub permissions does Vulnfrog need?

Least-privilege access, scoped to reviewing pull requests and opening fix PRs. We request only the permissions the review actually needs, nothing more.

What does Vulnfrog scan for?

Vulnerabilities, leaked secrets, and risky dependencies, using industry-standard scanners plus an AI reviewer. Every finding is mapped to an OWASP Top 10:2025 category.

Which languages are supported?

Vulnfrog supports the most popular languages, so most repositories work out of the box with no configuration.

How do you keep false positives down?

Every finding gets an AI confidence score so noise gets filtered out, and on a pull request we only flag what that PR actually introduced.

Is there a free trial?

Yes. Vulnfrog comes with a 14-day free trial. A card is required to start, and you can cancel anytime before it ends.

Ship fast. Stay secure.

Install the GitHub App and get your first PR reviewed in minutes.

Try for free

14-day free trial · Cancel anytime