← Back
CODESCAN · PRODUCT OVERVIEW 2026

CodeScan

AI-powered security scanner that finds vulnerabilities, verifies them, enriches with real CVE data, fixes every file, reviews its own work, and commits directly to Git — fully automated.

Live at: codescan.flowlog.dev
CLI: npm i -g codescan-flowlog
Chrome Extension: Chrome Web Store
EXECUTIVE SUMMARY

What is CodeScan?

CodeScan is an AI-powered security scanner (SAST) that runs source code through a 5-step AI pipeline: scan, investigate, verify, revalidate, and enrich. Unlike traditional SAST tools that flood developers with false positives, every finding is verified and enriched with real CVE data before the developer sees it.

The Ultra Suite takes it further: AI fixes every vulnerability automatically, reviews its own fixes, re-scans the patched code for regressions, then commits directly to the Git branch — replacing a full sprint of manual security remediation with a 10-minute automated flow.

For Developers
  • Scan in seconds, not hours
  • One-click AI fixes
  • Push to Git without leaving the tool
  • CLI for CI/CD pipelines
For Security Teams
  • OWASP / SOC 2 / PCI-DSS reports
  • Dual-AI verification reduces noise
  • Quality gates block bad deployments
  • SBOM + SARIF export
For Management
  • Fraction of cost vs. manual review
  • Audit-ready compliance evidence
  • Real CVE + CISA KEV threat intel
  • Risk dashboard across all repos
18+
Languages
100+
Vuln classes
24
Secret patterns
10+
Databases
5
Compliance reports
2
AI models
✦ ULTRA SUITE — FLAGSHIP FEATURE

Autonomous security remediation

The Ultra Suite is CodeScan's end-to-end automated fix flow. From finding to verified, committed fix — entirely hands-free.

01
📋
Ultra Plan
Claude analyses all findings and generates a prioritised remediation roadmap: Phase 1 (critical) → Phase 2 (sprint) → backlog + quick wins.
02
AI Fix All
Every vulnerability across every file is fixed in a single automated pass. Findings disappear from the scanner in real time as each file is patched.
03
🔍
Ultra Review
Claude reviews each fixed file independently. Verdict per file: SAFE · WARNING · FAIL with a confidence score 0–100.
04
🛡
Ultra Security
The fixed code is re-scanned to catch any new vulnerabilities accidentally introduced by the AI patch — ensuring the cure isn't worse than the disease.
05
Push & Commit
One click commits all fixed files directly to the connected Git branch. No dialog. No PR required. Commit URL returned immediately.
COMPLETE FEATURE MATRIX

Everything CodeScan can do

🔍 Scanning Engine
5-Step AI Pipeline (Scan → Investigate → Verify → Revalidate → Enrich)
Smart cache (SHA-256, 24h TTL) — unchanged files cost zero tokens
Batch scan: files <2KB grouped into batches of 5
Secret detection: 24 patterns (API keys, DB URLs, private keys, cloud creds)
Dependency scan: OSV.dev CVE lookup for npm / pip / go / gem
Pause & resume with zero token cost (cache picks up where scan stopped)
18+ languages: TS, JS, Python, Go, Java, Rust, Ruby, PHP, C/C++, C#, Kotlin, Swift
✦ Ultra Suite
📋 Ultra Plan — AI remediation roadmap (Phase 1 critical → backlog + quick wins)
⚡ AI Fix All — fixes every file project-wide, items vanish in real time
🔍 Ultra Review — Claude reviews every fixed file: SAFE / WARNING / FAIL
🛡 Ultra Security — re-scans fixed code to catch AI-introduced regressions
⬆ Push & Commit — direct commit to Git branch, one click, no dialog
🌐 Remote Repos & Git
GitHub import (any URL or owner/repo, public and private)
Azure DevOps import (full URL or org/project/repo + PAT)
AWS CodeCommit import (repo name + IAM credentials)
Ultra Open — paste any GitHub URL, auto-detected instantly
Create PR with random branch suffix (retries on 422)
Bot PR auto-fix: GitHub Actions fixes TypeScript errors Claude introduced
🧠 AI & Verification
Dual-AI: Claude Sonnet + GPT-4o cross-check HIGH/CRITICAL findings
Consensus badges: CONFIRMED · UNCERTAIN · DISPUTED · CLAUDE ONLY
CVE enrichment: NVD + EPSS exploit probability + CISA KEV catalog
CodescanBot: chat assistant with full vulnerability context
AI Test Generation: unit tests that reproduce + verify fixes
📊 Results & Session
Session persistence (localStorage, 7-day TTL — survives tab close)
Previous scans history: last 5 sessions, restore in one click
Resolved vulns hidden by default (like Snyk/SonarQube)
Regression diff: +N new / N fixed badges on re-scan
Scannable from previous results with zero tokens (cache restore)
📋 Compliance & Reporting
OWASP Top 10 report with control mapping
SOC 2 trust criteria mapping
PCI-DSS control mapping with evidence text
SBOM: CycloneDX JSON or SPDX format
SARIF 2.1.0 export for GitHub Security tab
Quality Gates: fail on N CRITICAL / HIGH threshold
Custom Rules Engine: Semgrep-style YAML rules
🗄 Database Intelligence
Test Connection with live status dot (green/yellow/red)
Supabase ping via REST API (no region or DB password needed)
AI-generated SQL migrations from plain English description
10+ databases: PostgreSQL, Supabase, Neon, CockroachDB, MySQL, MariaDB, PlanetScale, MongoDB, SQL Server, Redis, Cassandra
🔧 Platform & Dev Tools
Chrome Extension: GitHub, Azure DevOps, AWS CodeCommit (Chrome Web Store)
CLI tool: npm install -g codescan-flowlog (--fail-on, --output, --enrich)
Rate limiting on auth endpoints (sliding window, per IP)
README badge: dynamic SVG showing vuln count
Multi-environment scan: compare dev / staging / prod
Sitemap + robots.txt for SEO / Google Search Console
GO-TO-MARKET CRONOGRAM

4-Week Presentation Plan

Structured rollout for presenting CodeScan to customers and partners — each week targets a different audience with the features most relevant to them.

Week 1AI Pipeline + Dual-AI VerificationTechnical Partners & Dev Teams
DEMO AGENDA
  • 5-step scan pipeline live demo on a real codebase
  • Dual-AI verification (Claude + GPT-4o) — show CONFIRMED/DISPUTED badges
  • GitHub integration — fetch repo, scan, push fixed code in one session
KEY TAKEAWAY
CodeScan eliminates false positives and gives verified, enriched findings — not just a raw list.
Week 2Compliance Reports + Quality GatesSecurity Teams & Compliance Officers
DEMO AGENDA
  • Generate OWASP Top 10 / SOC 2 / PCI-DSS report from a scan
  • Show quality gate blocking a deployment on CRITICAL findings
  • SBOM export in CycloneDX + SARIF upload to GitHub Security tab
KEY TAKEAWAY
CodeScan produces audit-ready evidence — maps findings directly to compliance controls.
Week 3Ultra Suite — Autonomous Fix FlowEngineering Leads & CTOs
DEMO AGENDA
  • ⚡ AI Fix All — every vulnerability fixed, disappears from scanner
  • 🔍 Ultra Review — Claude reviews its own fixes, shows SAFE/WARNING/FAIL
  • 🛡 Ultra Security — re-scans fixed code for new regressions
  • ⬆ Push & Commit — direct commit to Git in one click
KEY TAKEAWAY
The Ultra Suite replaces a full sprint of manual security remediation with a 10-minute automated flow.
Week 4ROI + Market PositionBusiness Stakeholders & Investors
DEMO AGENDA
  • Cost comparison: 1 CodeScan Pro licence vs 40 hrs/month manual security review
  • Show Chrome Extension — scan GitHub repos directly in browser
  • CLI integration into CI/CD — fail pipeline on CRITICAL findings
KEY TAKEAWAY
CodeScan pays for itself in the first sprint. Enterprise pricing starts at $299/mo for unlimited scans.
PRICING

Plans & Pricing

Free
$0
15 scans/mo
  • 5-step AI pipeline
  • Web + CLI
  • JSON export
  • Dep scanning
Starter
$14/mo
100 scans/mo
  • CVE enrichment
  • AI auto-fix
  • SARIF export
  • Top-up credits
MOST POPULAR
Pro
$34/mo
400 scans/mo
  • EPSS + CISA KEV
  • CodescanBot
  • Priority support
Team
$89/mo
1,500 scans/mo
  • Team access
  • GitHub Actions CI/CD
  • Top-up credits
Business
$299/mo
Unlimited
  • Unlimited scans
  • Dedicated support + SLA
  • Custom onboarding

Annual plans available · 2 months free · Cancel any time · Payments via Stripe

GET STARTED

Ready to see it in action?

Live at codescan.flowlog.dev · Free tier available · No credit card required

▶ Launch ScannerRead Docs →View Pricing →
codescan.flowlog.dev · contact@flowlog.dev · © 2026 Flowlog