ZenVeil is live on Product Hunt 🚀

Support the launch and share feedback.

View on Product Hunt

AI-native DevSecOps · pip install zenveil

AI writes your code. ZenVeil secures it.

Copilot autocompletes hardcoded secrets. Cursor's multi-file edits leave inconsistent auth checks. Claude Code's long sessions pull outdated, vulnerable dependencies. ZenVeil catches what's specific to each in under 30 seconds and opens the fix as a GitHub PR.

Watch a breach

No signup for public repos

Read-only

Code never stored

Results in seconds

zenveil — ai-native security scan

~

$

zenveil scan github myorg/payments-api

Scan complete — 4 findings across 3 scanners

ID
SEVERITY
SCANNER
OWASP
TITLE
LOCATION
ZV-A1B2C3
CRITICAL
secrets
A02:2021
AWS access key exposed
src/config.py:42
ZV-D4E5F6
HIGH
supply_chain
A06:2021
lodash CVE-2021-23337 CVSS 9.1
package.json:12
ZV-G7H8I9
MEDIUM
sast
A03:2021
SQL injection via f-string
api/users.py:127
ZV-J1K2L3
LOW
supply_chain
A06:2021
Unpinned dependency
requirements.txt:3

$

zenveil fix ZV-A1B2C3 --auto-pr --repo myorg/payments-api

✓ Opened PR #47: github.com/myorg/payments-api/pull/47

Rotated key, purged from history, added to .gitignore

Findings

4 critical caught

Time to fix

PR opened · 12s

Scan speed

47 files · 22s

Built for teams using AI coding tools

  • GitHub Copilot

  • Cursor

  • Claude

  • Tabnine

  • Python

  • Node.js

  • Go

  • Rust

  • Ruby

  • OWASP Top 10

  • CVE Database

  • 200+ secret patterns

By the numbers

Security that moves at dev speed.

+27% YoY

83%

of devs use AI coding tools

GitHub Octoverse 2024

14

findings

avg per repo scan

secrets · CVEs · OWASP

−90% vs. SAST

< 30

seconds

full scan time

CLI, CI/CD, or browser

auto-PR

1

command

auto-fix & open GitHub PR

no manual triage

Internal benchmark, not yet independently verified — largest repo tested so far: ~48,000 files, full scan under 8 minutes.

Positioning

Where your security stack stops looking.

Your stack was built for code humans wrote. AI generates the same bug classes — hardcoded secrets, missing auth middleware, tokens in localStorage — at higher frequency, in places existing tools weren't tuned to look.

Capability

GitHub Actions

Snyk / Semgrep

Claude / ChatGPT Review

ZenVeil

Known CVE & dependency vulnerabilities

Hardcoded API keys, JWT secrets, AWS credentials in source

Sensitive routes without authorization middleware

Dependency confusion risk in package manifests

Auth tokens written to browser storage (localStorage)

Missing rate limits or verbose error responses on APIs

Known CVE & dependency vulnerabilities

GitHub Actions

Snyk / Semgrep

Claude / ChatGPT Review

ZenVeil

Mature scanners own this. ZenVeil intentionally does not — keep yours.

Hardcoded API keys, JWT secrets, AWS credentials in source

GitHub Actions

Snyk / Semgrep

Claude / ChatGPT Review

ZenVeil

Models commonly inline placeholder-looking secrets that are real. ZenVeil ships rule families tuned for this pattern.

Sensitive routes without authorization middleware

GitHub Actions

Snyk / Semgrep

Claude / ChatGPT Review

ZenVeil

Generators forget auth middleware on routes that handle user-scoped data. Detected by static analysis of route handlers.

Dependency confusion risk in package manifests

GitHub Actions

Snyk / Semgrep

Claude / ChatGPT Review

ZenVeil

AI-generated package.json files commonly mix scoped and unscoped names in ways an attacker can hijack.

Auth tokens written to browser storage (localStorage)

GitHub Actions

Snyk / Semgrep

Claude / ChatGPT Review

ZenVeil

AI defaults to localStorage for tokens — a known XSS exfiltration vector. ZenVeil flags this pattern explicitly.

Missing rate limits or verbose error responses on APIs

GitHub Actions

Snyk / Semgrep

Claude / ChatGPT Review

ZenVeil

Generated endpoints often return stack traces and lack rate limiting. ZenVeil probes for both.

Designed for this

Partial

Not designed for this

Out of scope — use your existing tool

On the roadmap

Hallucinated package detection

IaC misconfiguration scanning

Prompt-injection surface analysis

We ship what the scanner actually detects today. These are in active development.

GitHub Actions, Snyk, Semgrep, and general-purpose AI reviewers are excellent at what they were built for. We run several of them on our own code. ZenVeil isn't a replacement.

It's the layer that catches what those tools were never designed to detect — the failure modes that show up when a model writes the code, not a person.

Most teams keep their existing stack and add ZenVeil for the blind spots.

Four example findings · linked to actual ZenVeil scanner rules

What ZenVeil Actually Finds

Explore real security findings from AI-generated code. See how ZenVeil detects, explains, and helps fix issues before they reach production.

Hardcoded secrets

Missing auth checks

Source map exposure

Dependency confusion

Token storage risks

Read-only analysis · Code never stored · Findings verified with file-level evidence

1

Critical

2

High

2

Medium

Findings · 5 examples

CRITICAL

Hardcoded API key assignment

EXAMPLE FINDING

Live-shaped Stripe key in a generated test fixture

tests/fixtures/stripe-customer.json

:

1

Fixture committed with a token shaped like sk_live_…. If real, it is now in git history and may need rotation.

Why AI produces this: Models often pad fixtures with realistic-looking values rather than placeholders. The prefix shape matches a real Stripe secret key.

ZenVeil's suggested fix — opens as a PR

-

"api_key": "sk_live_4eC39HqLyjWDarjtT1zdp7dc"

+

"api_key": "<<-STRIPE_TEST_KEY->>"

 

// Resolved from env at test setup

How the scan works

🔒

Read-only analysis

Repos are cloned to an ephemeral sandbox. No write access. No persistence.

🚫

Code never stored

Source is deleted after the scan completes. Never used for training.

🔍

Verifiable findings

Each finding includes a file path and line you can confirm against the diff.

🧠

Built for AI-generated code

Detection rules are tuned for the failure modes AI produces at higher frequency.

60 seconds · Sandboxed · First finding free, no signup required
Your code is never stored and never used for training.

Enterprise trust

Is your code safe with us? Here's the answer.

You shouldn't need to talk to sales to find out. Here's exactly what happens to your source when ZenVeil scans it.

Your GitHub repo

read-only OAuth scope

Ephemeral scan container

spun up per scan, destroyed after

Findings, in memory

never written to disk

PR opened on your repo

source code never leaves GitHub

SOC 2

Type II in progress

In progress

GDPR ready

Data processing compliant

Verified

Code never stored

Architecture guarantee

Enforced

Read-only tokens

GitHub OAuth scoped

Enforced

DPA available

On request for Enterprise

Available

security.txt

RFC 9116 compliant

Published

Continuous security posture monitoring active

·

[email protected]

The AI agent trust layer

Every agent writes code differently. Every risk, covered.

A generic "we support AI tools" line is an afterthought. Each agent below has a distinct failure pattern — ZenVeil's rule engine is tuned to catch it specifically.

GitHub Copilot

Highest rate of hardcoded secrets in autocomplete suggestions — caught before the commit, not after.

Cursor

Multi-file agent edits frequently introduce inconsistent auth checks across touched routes.

Claude Code

Long autonomous sessions can pull outdated dependencies from training data — CVE-checked on every PR.

Also covered

OpenAI Codex

Task-runner agents commit directly — ZenVeil gates the branch before merge, not after an incident.

Gemini

Cross-language projects show elevated injection risk at language boundaries — shell, SQL, and template contexts.

Background CI agents

Unattended by design — ZenVeil is the only reviewer some of these commits will ever get.

How it works

From pip install to merged PR

Installed, scanned, explained, and fixed — in one terminal session.

01 Install

No account. No config. One line.

ZenVeil ships as a standard Python package — install it like anything else in your toolchain.

$

pip install zenveil

✓ Installed zenveil-cli

3 free scans/hour, no signup required

CI/CD Integration

Drop it into any pipeline.

Add ZenVeil to your GitHub Actions workflow and automatically block PRs that introduce CRITICAL or HIGH severity findings. Security gates that run in seconds, not minutes.

Scans complete in under 30 seconds

Blocks merges on HIGH/CRITICAL findings

Auto-opens fix PRs from CI output

.github/workflows/zenveil.yml

YAML
# ZenVeil Security Scan
name: Security Scan
on:
pull_request:
branches: [main]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- name: Install ZenVeil
run: pip install zenveil
- name: Login
run: zenveil login ${{ secrets.ZENVEIL_API_KEY }}
- name: Scan
run: zenveil scan github ${{ github.repository }}
--token ${{ secrets.GITHUB_TOKEN }}

Blocks merge on CRITICAL / HIGH

YAML · 28 lines

Capabilities

Security built for AI-assisted development

AI coding tools write fast and miss security basics. ZenVeil closes the gap — from secret detection to automated PR remediation, across your entire stack.

PR #47 opened · payments-api

AWS_KEY = "AKIA…"

+

AWS_KEY = os.environ[…]

Rotated · Purged · Merged

Auto-fix

Find and fix in one pull request

ZenVeil opens the remediation as a reviewable GitHub PR. From finding to merge, in your existing workflow — no dashboard to babysit, no findings to triage by hand.

3 secrets found

SECRETS FOUND · 3

AWS_ACCESS_KEY

AWS

STRIPE_SECRET_KEY

Stripe

GITHUB_TOKEN

GitHub

200+ patterns

Secret detection

AWS keys, GitHub tokens, JWT secrets, and passwords caught before they reach production. Regex + entropy analysis for near-zero false negatives.

osv.dev lookup · 3 matches

PACKAGE
CVE
CVSS
lodash 4.17.15
CVE-2021-23337
9.1
axios 0.21.1
CVE-2021-3749
7.5
moment 2.29.1
CVE-2022-31129
5.3

CVE lookups

Supply chain security

Floating dependency versions, missing lockfiles, and CVE lookups via OSV.dev. Know exactly what you're shipping before it ships.

explain · suggest fix

AI

EXPLAIN · SUGGEST FIX

The localStorage.setItem('token', …) pattern is an XSS exfiltration vector. Suggested fix: httpOnly cookie via server proxy.

Deterministic + LLM

Built for AI-generated code

Deterministic detection, LLM-assisted remediation. Our rule engine targets patterns AI generates at higher frequency — over-permissive configs, missing input validation, tokens in localStorage.

Early Access Feedback

Real devs. Real findings.

What engineers say after running ZenVeil on their first codebase — from indie makers to security teams shipping into regulated environments.

“ZenVeil caught a hardcoded Stripe secret sitting in our prod codebase for 6 months. Our pentester missed it. One command, 18 seconds — found, fixed, PR opened. It's now step one of our onboarding checklist.”

AM

Aisha M.

Backend Engineer

“I expected 400 noisy false positives. Instead I got 7 real findings with clear explanations and an auto-PR opened for 4 of them. That's genuinely impressive for a CLI tool.”

JP

Jordan P.

Senior Engineer

“Before every investor demo I run ZenVeil. It's a ritual. The peace of mind knowing my repo is clean before due diligence is worth every penny of the subscription.”

SK

Sarah K.

Founder, SaaS Startup

“We have a full AppSec team and still run ZenVeil in CI. Fast enough not to block merges. Catches the stuff that slips through PR review — floating deps, exposed tokens, weak configs.”

MC

Marcus C.

Security Engineer

“I don't have a security background but the dashboard makes everything legible. What's critical vs what can wait is instantly clear, and the AI explanations make sense to a non-security person.”

PP

Priya P.

Full-Stack Developer

“Vibe-coded a SaaS over a weekend. Ran ZenVeil before going live — it found my Supabase service key in three different files. Fixed in 20 minutes with the patch it suggested. Would've been a disaster.”

TA

Tom A.

Indie Maker

“Integrated ZenVeil into GitHub Actions in under 10 minutes. Every PR now gets a security check automatically. Our team security awareness has gone up noticeably — people actually read the findings.”

EV

Elena V.

Platform Engineer

“The AI fix suggestions are shockingly good. It doesn't just tell you what's wrong — it generates the actual patch with context for your specific framework. Saved me a full afternoon on a single finding.”

DO

David O.

Software Engineer

“The scan results were accurate. My one note: I initially wanted more context on the OWASP mapping for each finding. The update added docs links for every result — that fixed it.”

RM

Ryan M.

Early Access Tester

“In healthtech, one exposed credential is catastrophic. ZenVeil runs nightly and is part of our SOC 2 compliance workflow. The audit logs alone justify the subscription cost.”

RT

Rachel T.

Backend Engineer

“The supply chain analysis changed how we think about dependencies entirely. Seeing which packages have unresolved CVEs with severity scores made the whole team more deliberate about what we install.”

AK

Alex K.

Software Engineer

“ZenVeil caught a hardcoded Stripe secret sitting in our prod codebase for 6 months. Our pentester missed it. One command, 18 seconds — found, fixed, PR opened. It's now step one of our onboarding checklist.”

AM

Aisha M.

Backend Engineer

“I expected 400 noisy false positives. Instead I got 7 real findings with clear explanations and an auto-PR opened for 4 of them. That's genuinely impressive for a CLI tool.”

JP

Jordan P.

Senior Engineer

“Before every investor demo I run ZenVeil. It's a ritual. The peace of mind knowing my repo is clean before due diligence is worth every penny of the subscription.”

SK

Sarah K.

Founder, SaaS Startup

“We have a full AppSec team and still run ZenVeil in CI. Fast enough not to block merges. Catches the stuff that slips through PR review — floating deps, exposed tokens, weak configs.”

MC

Marcus C.

Security Engineer

“I don't have a security background but the dashboard makes everything legible. What's critical vs what can wait is instantly clear, and the AI explanations make sense to a non-security person.”

PP

Priya P.

Full-Stack Developer

“Vibe-coded a SaaS over a weekend. Ran ZenVeil before going live — it found my Supabase service key in three different files. Fixed in 20 minutes with the patch it suggested. Would've been a disaster.”

TA

Tom A.

Indie Maker

“Integrated ZenVeil into GitHub Actions in under 10 minutes. Every PR now gets a security check automatically. Our team security awareness has gone up noticeably — people actually read the findings.”

EV

Elena V.

Platform Engineer

“The AI fix suggestions are shockingly good. It doesn't just tell you what's wrong — it generates the actual patch with context for your specific framework. Saved me a full afternoon on a single finding.”

DO

David O.

Software Engineer

“The scan results were accurate. My one note: I initially wanted more context on the OWASP mapping for each finding. The update added docs links for every result — that fixed it.”

RM

Ryan M.

Early Access Tester

“In healthtech, one exposed credential is catastrophic. ZenVeil runs nightly and is part of our SOC 2 compliance workflow. The audit logs alone justify the subscription cost.”

RT

Rachel T.

Backend Engineer

“The supply chain analysis changed how we think about dependencies entirely. Seeing which packages have unresolved CVEs with severity scores made the whole team more deliberate about what we install.”

AK

Alex K.

Software Engineer

“The supply chain analysis changed how we think about dependencies entirely. Seeing which packages have unresolved CVEs with severity scores made the whole team more deliberate about what we install.”

AK

Alex K.

Software Engineer

“In healthtech, one exposed credential is catastrophic. ZenVeil runs nightly and is part of our SOC 2 compliance workflow. The audit logs alone justify the subscription cost.”

RT

Rachel T.

Backend Engineer

“The scan results were accurate. My one note: I initially wanted more context on the OWASP mapping for each finding. The update added docs links for every result — that fixed it.”

RM

Ryan M.

Early Access Tester

“The AI fix suggestions are shockingly good. It doesn't just tell you what's wrong — it generates the actual patch with context for your specific framework. Saved me a full afternoon on a single finding.”

DO

David O.

Software Engineer

“Integrated ZenVeil into GitHub Actions in under 10 minutes. Every PR now gets a security check automatically. Our team security awareness has gone up noticeably — people actually read the findings.”

EV

Elena V.

Platform Engineer

“Vibe-coded a SaaS over a weekend. Ran ZenVeil before going live — it found my Supabase service key in three different files. Fixed in 20 minutes with the patch it suggested. Would've been a disaster.”

TA

Tom A.

Indie Maker

“I don't have a security background but the dashboard makes everything legible. What's critical vs what can wait is instantly clear, and the AI explanations make sense to a non-security person.”

PP

Priya P.

Full-Stack Developer

“We have a full AppSec team and still run ZenVeil in CI. Fast enough not to block merges. Catches the stuff that slips through PR review — floating deps, exposed tokens, weak configs.”

MC

Marcus C.

Security Engineer

“Before every investor demo I run ZenVeil. It's a ritual. The peace of mind knowing my repo is clean before due diligence is worth every penny of the subscription.”

SK

Sarah K.

Founder, SaaS Startup

“I expected 400 noisy false positives. Instead I got 7 real findings with clear explanations and an auto-PR opened for 4 of them. That's genuinely impressive for a CLI tool.”

JP

Jordan P.

Senior Engineer

“ZenVeil caught a hardcoded Stripe secret sitting in our prod codebase for 6 months. Our pentester missed it. One command, 18 seconds — found, fixed, PR opened. It's now step one of our onboarding checklist.”

AM

Aisha M.

Backend Engineer

“The supply chain analysis changed how we think about dependencies entirely. Seeing which packages have unresolved CVEs with severity scores made the whole team more deliberate about what we install.”

AK

Alex K.

Software Engineer

“In healthtech, one exposed credential is catastrophic. ZenVeil runs nightly and is part of our SOC 2 compliance workflow. The audit logs alone justify the subscription cost.”

RT

Rachel T.

Backend Engineer

“The scan results were accurate. My one note: I initially wanted more context on the OWASP mapping for each finding. The update added docs links for every result — that fixed it.”

RM

Ryan M.

Early Access Tester

“The AI fix suggestions are shockingly good. It doesn't just tell you what's wrong — it generates the actual patch with context for your specific framework. Saved me a full afternoon on a single finding.”

DO

David O.

Software Engineer

“Integrated ZenVeil into GitHub Actions in under 10 minutes. Every PR now gets a security check automatically. Our team security awareness has gone up noticeably — people actually read the findings.”

EV

Elena V.

Platform Engineer

“Vibe-coded a SaaS over a weekend. Ran ZenVeil before going live — it found my Supabase service key in three different files. Fixed in 20 minutes with the patch it suggested. Would've been a disaster.”

TA

Tom A.

Indie Maker

“I don't have a security background but the dashboard makes everything legible. What's critical vs what can wait is instantly clear, and the AI explanations make sense to a non-security person.”

PP

Priya P.

Full-Stack Developer

“We have a full AppSec team and still run ZenVeil in CI. Fast enough not to block merges. Catches the stuff that slips through PR review — floating deps, exposed tokens, weak configs.”

MC

Marcus C.

Security Engineer

“Before every investor demo I run ZenVeil. It's a ritual. The peace of mind knowing my repo is clean before due diligence is worth every penny of the subscription.”

SK

Sarah K.

Founder, SaaS Startup

“I expected 400 noisy false positives. Instead I got 7 real findings with clear explanations and an auto-PR opened for 4 of them. That's genuinely impressive for a CLI tool.”

JP

Jordan P.

Senior Engineer

“ZenVeil caught a hardcoded Stripe secret sitting in our prod codebase for 6 months. Our pentester missed it. One command, 18 seconds — found, fixed, PR opened. It's now step one of our onboarding checklist.”

AM

Aisha M.

Backend Engineer

AM

JP

SK

MC

PP

TA

EV

Early Access — free to try

Join them. Ship securely.

Scan your first repo in under 30 seconds — no config, no credit card, no excuses.

Free forever plan

No credit card

pip install zenveil

ZenVeil

Simple pricing

Start free. Upgrade when you need it.

One finding on a free scan can save you from a breach that costs thousands. Enterprise plans include SSO, audit log, and private deployment.

$zenveil scan . --cipassed· 0 blocking findings · exit 0 · 22s
See a real finding

Free

$0

/forever

For developers who want to check a repo now.

Scan a repo

3 public repo scans / hour

All finding categories

Severity-ranked results

Secrets, deps, CI/CD, headers

Email report

Private repositories

AI explain & fix

Auto-PR remediation

Scan history

CI/CD webhook

Most popular

Pro

$19

/per month

For developers who ship fast and can't afford breaches.

Get Pro

Unlimited scans

Public & private repos

All finding categories

AI explain — why it's dangerous

AI fix — generated patch

Auto-PR remediation

Scan history (90 days)

Email alerts on new findings

Team seats

PDF compliance reports

CI/CD webhook

Team

$59

/per month

For engineering teams that need coverage across every repo.

Contact us

Everything in Pro

Up to 5 team members

Unlimited private repos

CI/CD webhook integration

PDF compliance reports

Slack & email alerts

Priority support

Custom scan policies

Enterprise

Custom

/talk to us

For platform and security teams shipping under compliance.

Contact sales

Everything in Team

Unlimited seats

SSO / SAML

Audit log & role-based access

Private / on-prem deployment

Custom detection policies

DPA & subprocessor list

Dedicated support

All plans include a 7-day free trial on paid features. No credit card required for Free.

Common questions

Everything you need to know

Quick answers to the questions developers ask before they trust a security tool with their code.

Does ZenVeil upload my source code?

No. For local CLI scans, your source code is analysed entirely on your machine and never leaves it. When scanning via the web dashboard or API, repository contents are temporarily fetched from GitHub during the scan and are not stored on our servers after the scan completes. See our Security & Privacy page for full details.

Still have questions?

Our team responds within 24 hours. We read every message and use feedback to improve the product.

[email protected]