Everything CodeScan can do

Scan → Investigate → Verify → Revalidate → Enrich. Every finding is verified and enriched with real CVE data before you see it. False positives are eliminated automatically in a dedicated revalidation pass.

Each file is hashed before scanning. If unchanged, the cached result is returned instantly at zero token cost. Cache is cleared automatically when you re-fetch a remote repo so merged fixes always appear fresh.

Files under 2 KB are grouped into batches of 5 and scanned in a single Claude call, significantly reducing scan time and token usage on projects with many small utility files.

Runs parallel to the AI scan using 24 regex patterns covering API keys, database URLs, private keys, OAuth tokens, and cloud credentials. Skips template literals to avoid false positives on dynamic connection strings.

Detects package manifests (package.json, requirements.txt, go.mod, Gemfile) and checks every package against OSV.dev for known CVEs. Results appear in the DEPENDENCIES tab alongside outdated package counts.

Pause a long scan at any point to save partial results. Because of smart caching, resuming picks up exactly where it stopped — no re-scanning of already-completed files, zero extra token cost.

Claude analyses all findings and generates a prioritised remediation roadmap: Executive Summary → Phase 1 Critical → Phase 2 Sprint → Backlog → Quick Wins (under 30 min). Opens in a modal, copy to clipboard in one click.

Fixes every vulnerability across every file in one automated pass. Items disappear from the scanner in real time as each file is patched. Progress shown as 'Fixing 3/12…' in the tab bar. Starter plan and above.

Before pushing to Git, Claude reviews every fixed file. Checks: did the fix correctly address the vulnerability? Did it break any functionality? Is it minimal? Verdict per file: SAFE · WARNING · FAIL with confidence 0–100.

Re-scans the fixed code (not the original) to catch any new vulnerabilities accidentally introduced by the AI patch. Only flags regressions — not pre-existing issues. Run before every Git push.

Click Fix on any finding to generate a targeted patch using Claude Sonnet 4.6. Only the vulnerable lines change — surrounding code is preserved exactly. Available on all paid plans.

Fix every vulnerability in a file in one AI pass. All fixes are applied together, preserving context between them. Available on Starter plan and above.

The sidebar ⚡ AI Fix All button fixes every file in the entire project. Fixed vulnerabilities are automatically marked resolved and hidden from the scanner. Results stream in real time via SSE.

Select any vulnerability and click Generate Test to have Claude produce a unit test that reproduces the vulnerability and verifies the fix. Tests are generated in the language of the scanned file.

The green Push & Commit to Git button commits all AI-fixed files directly to your connected branch. No PR dialog, no intermediate step. Each file gets commit message: fix(security): patch {filename}.

Creates a new branch (codescan/security-fixes-YYYYMMDD-xxxxx) and opens a pull request with a full diff description. Retries automatically up to 5 times if the branch name already exists.

A GitHub Actions workflow runs on every CodeScan bot branch. If Next.js build fails due to an AI-introduced error, Claude reads the failing file, generates a fix, commits to the PR branch, and re-runs the build — up to 4 times.

After a PR is merged, click Re-fetch & Rescan to pull the fixed code and run a fresh scan. Cache is automatically cleared so the scan reflects the actual merged state.

Paste any GitHub URL or owner/repo slug. CodeScan auto-detects the format, fetches all source files from the default branch (up to 60 files). Private repos require a PAT with repo scope.

Paste an Azure DevOps URL or org/project/repo slug. Requires a Personal Access Token with Code Read permission. Supports both modern Azure DevOps and legacy visualstudio.com URLs.

Enter the repository name, AWS region, and IAM Access Key + Secret Key. CodeScan uses the AWS SDK to fetch repository contents securely.

Paste any public GitHub URL directly — full repo URLs, PR URLs, blob URLs. CodeScan auto-extracts owner, repo, and branch and fetches the code immediately. No manual slug extraction needed.

HIGH and CRITICAL findings are independently assessed by Claude Sonnet 4.5 and GPT-4o in parallel. Each model gives a verdict without seeing the other's answer. Requires OPENAI_API_KEY env variable.

CONFIRMED — both models agree it's real. UNCERTAIN — models disagree or low confidence. DISPUTED — likely false positive. CLAUDE ONLY — no OpenAI key configured. Shown on every HIGH/CRITICAL finding.

Each finding is enriched with NVD CVE details, EPSS exploit probability score (0–100%), and CISA Known Exploited Vulnerabilities catalog status. CISA KEV means it's being actively exploited right now.

Interactive AI assistant with full vulnerability context. Ask why a finding is dangerous, request plain-English explanations, generate database migrations, or get step-by-step remediation guidance.

Maps all findings to OWASP Top 10 categories with pass/fail status per control and evidence text formatted for auditors. Export as PDF or copy to clipboard.

Maps findings to SOC 2 Trust Service Criteria (Security, Availability, Confidentiality). Shows which criteria are impacted and provides evidence summaries for your audit trail.

Maps findings to PCI-DSS requirements with control-level pass/fail assessment and evidence text suitable for QSA review.

Export a Software Bill of Materials listing all detected dependencies with versions, licenses, and known CVEs. Supports CycloneDX JSON and SPDX formats.

Export findings in SARIF 2.1.0 format for direct upload to GitHub Security tab, Azure DevOps Security, or any SARIF-compatible SAST tool.

Define pass/fail thresholds — e.g. 'fail if more than 0 CRITICAL findings'. Block CI/CD pipelines or deployments when security standards aren't met. Configurable per severity level.

Write custom security rules in YAML to enforce project-specific policies. Rules support pattern matching, metavariables, and multi-file analysis. Community rules available out-of-the-box.

Copy a dynamic SVG badge to embed in your repository README. Shows the current vulnerability count and severity level. Links back to your CodeScan report.

Live green/yellow/red status dot confirms database connectivity before running migrations. Supabase ping uses the PostgREST REST API — no region or database password needed, just the Project URL + Service Role Key.

Describe a schema change in English in CodescanBot (e.g. 'add a users table with email, role, and created_at'). The bot generates SQL, you review it, then execute directly to your database from the CodeScan UI.

PostgreSQL · Supabase · Neon · CockroachDB · MySQL · MariaDB · PlanetScale · MongoDB · SQL Server (Azure SQL) · Redis (Upstash) · Cassandra. Script-only: Oracle, DynamoDB, Snowflake, BigQuery, SQLite.

Handles self-signed and intermediate CA certificates from managed database providers (Supabase, Neon, CockroachDB) that aren't in Node.js's default root store. No manual SSL configuration needed.

Scan results are saved to localStorage automatically. Closing the tab, refreshing the page, or restarting the browser all preserve your full session — results, remediation status, and active panel.

The last 5 scan sessions are stored with a 7-day TTL. Browse past scans from the history icon and restore any of them instantly — no re-scanning, no token cost.

Fixed, accepted, and won't-fix vulnerabilities are hidden by default (like Snyk and SonarQube). A toggle reveals them. Three statuses: fixed · accepted · won't fix. All persist across sessions.

When you re-scan a repo after fixing issues, CodeScan compares against the previous scan and shows +N new (red badge) and N fixed (green badge) counts so you can see exactly what changed.

Install globally with npm install -g codescan-flowlog. Flags: --dir, --fail-on critical, --output json/sarif/md, --enrich. Exit code 2 for CISA KEV findings — ideal for pipeline gates.

Adds a Scan with CodeScan button to GitHub, Azure DevOps, and AWS CodeCommit repository pages. Sends the current repo to the scanner without leaving the browser. Unauthenticated users are redirected to login.

Scan the same codebase against multiple environment configurations and compare the security posture side-by-side. Identify issues that only appear in production configuration.

Auto-generated sitemap.xml and robots.txt covering all public pages. Submit to Google Search Console for indexing.

All authentication endpoints are protected by a sliding-window rate limiter. Login: 10 req / 15 min. Token refresh: 5 req / 15 min. Returns 429 with Retry-After header.

Auth endpoints validate all inputs with Zod schemas — email length (max 254), password length (max 128), format checks. Invalid inputs return a 400 with a clear error message before touching the database.

Auth route is protected with CSRF token verification. Token is set as an HttpOnly cookie on GET requests and must be echoed in the X-CSRF-Token header on POST requests.

Responsible disclosure policy at SECURITY.md. Report vulnerabilities to security@flowlog.dev with a 90-day disclosure window.