Find vulns. Autofix. Merge the PR.

Deep semantic analysis that catches the SQL injection, broken auth, race conditions, and logic flaws that SAST tools miss, then ships tested fix PRs you can merge with confidence.

No credit card required · 7-day free trial

// trusted by teams shipping AI infrastructure

n8n logo
ChromaDB logo
Milvus logo
vLLM logo
Weaviate logo
Qdrant logo
Langflow logo
Langfuse logo
1,153
Repos scanned
5,572
Vulnerabilities found
1,457
Autofixes generated
92%
PR merge rate
// benchmark

Ranked #1, ahead of every frontier model.

RealVuln is an open-source benchmark of real vulnerabilities across production-style repositories. We publish the results so you don't have to take our word for it.

F3 (strict) · real vulnerabilitiesRealVuln v2.0 · 66 repositories
#1Kolega DevSec Max86.5
#2Kolega DevSec Core69.9
#4Kolega Scan OSS (V1)65.2
#5GPT-5.556.7
#6Kimi K2.752.1
#7DeepSeek V4 Flash51.8
#17SonarQube14.4
#18Semgrep7.4
Selected results · 18 scanners testedSee the full leaderboard →

Methodology: RealVuln v2.0 evaluates detection across 66 production-style repositories, spanning human-authored and vibe-coded code totalling 133,782 lines, each with known, verified flaws. Scores use the strict F3 metric. Every figure on this page is pinned to a benchmark version and snapshot date.

// how it works

92% of Proposed Fixes Get Merged.

Review a finding, propose an AI fix, open the pull request, and merge it in GitHub. The finding closes itself.

app.kolega.dev/repositories/acme-api
Kolega DevSec logo
?ED
payment-api > Findings
12 Findings
SeverityStatus
Critical
3
High
5
Medium
3
Low
1
SeverityFinding
Second-Order SQL Injection in Report Builder
JWT Audience Confusion in Auth Middleware
Unsafe Deserialization in Product Config
CORS Subdomain Injection via Wildcard Match
Time-of-Check Race Condition in File Access
Token Refresh Race Condition
Showing 6 of 12 findings · 8 fixes generated · 3 PRs ready to merge

The whole Platform, In your Terminal.

The official @kolegaai/cli exposes the full public API: authenticate, scan, triage findings, generate AI fixes, and open pull requests without leaving the shell. Built for CI and automation.

$npm i -g @kolegaai/cli
Device-flow loginFour scan typesTriage findingsFix → PRJSON everywhere
zsh — kolega
$kolega auth login
paired with org "acme" · token stored 0600
$kolega repos list
payment-api default main
$kolega scans start default --type deep-ai --wait
⦿deep-ai scan running
scan complete
12 findings · 3 critical · 5 high

npm · @kolegaai/cli · requires Node.js 22+

// noise reduction

Cut 90% of false positives. Review only what matters.

Stop drowning in alerts. Kolega DevSec groups, deduplicates, and prioritises so your team focuses on real risk.

Internal memory architecture
Track alert status, mark a finding 'Won't Fix', and we remember the signature globally.
Logical grouping
50 instances of the same violation = 1 ticket and 1 PR, not 50 notifications.
Context-aware filtering
Eliminates false positives by understanding your code architecture and dependencies.
Priority intelligence
Automatically prioritises critical vulnerabilities based on exploitability and business impact.
Scanning repository…
Running security scanners…
Deep architectural analysis…
Grouping & deduplicating findings…
Generating fixes…
Creating PR…
// open sourceApache-2.0

The engine is open source. Start free, keep control.

Kolega Scan is the open-source detection engine behind the platform — self-hosted, provider-agnostic, no account and no usage caps. Run it locally or in CI. When you want tested autofix PRs, noise reduction, and the benchmark-leading detection intelligence, connect the same harness to the hosted platform — no re-instrumenting.

Self-hosted, local or CIBYO LLM, provider-agnosticTransparent, extensible harnessCommunity support · no caps
kolega-scan
$pip install kolega-scan
$kolega-scan scan ./
14 findings · 3 critical · 0 sent off-box
OSS detectionconnect the same harness for autofix PRs, noise reduction & deep-AI
// pricing

Choose your plan.

Free and open source forever, or go hosted for autofix PRs and deep-AI detection.

Free

OPEN SOURCE
$0/forever
Unlimited local scansSecrets, SBOM & SAST enginesRun locally or in CIBYO LLM · no accountCommunity support · Apache-2.0
View on GitHub

Core

$39/mo
1,500 scan & fix credits / monthCore Scan EngineNo LOC or autofix limitsTop up credits anytimeTicket integration & noise reduction
Start 7-day free trial

Max

COMING SOON
$69/mo
Everything in Core, plus:Max Scan Engine · #1 on RealVulnMore models to choose fromBYO API key · unlimited on your own keySlack & Teams integration
Coming soon

Enterprise

Custom
Everything in Max, plus:Custom credit volumeContinuous scanningExploitation testingSSO/SAML + audit + SIEMSelf-hosted runnersDedicated Slack + SLA
// how credits work

Both paid plans include 1,500 scan & fix credits a month, spent across scans and autofix PRs, with no limits on lines of code or number of fixes. As a guide, that's about 3 deep scans of 100k LOC on the Core engine, 6 on the Max engine, or roughly 20 autofix PRs. Available models depend on your plan, bring-your-own keys unlock on Max and above, and you can top up anytime.

✓ Ephemeral scanning: code never stored✓ Controls aligned with SOC 2 and ISO 27001; certification in progress✓ GDPR compliant✓ Self-hosted runners available
// faq

Frequently asked questions

Does Kolega DevSec access or store my source code?

Your code is cloned into isolated, ephemeral containers for scanning and deleted immediately after. We never store source code at rest. Enterprise customers can run self-hosted runners in their own infrastructure for full data sovereignty.

How is this different from Snyk, Dependabot, or other SAST tools?

Traditional SAST matches known patterns. Kolega DevSec adds deep semantic analysis that understands code intent, catching logic flaws, race conditions, cross-boundary injection, and architectural vulnerabilities pattern-matching misses.

Do I need a CLI or CI pipeline?

No. Three clicks in the web app (OAuth, select repos, scan) gets most teams scanning in under 3 minutes. But the official @kolegaai/cli and public API are there when you want terminal control, automation, or CI gates.

Can I trust the automated PRs?

Every generated PR includes regression tests that prove the fix works, conflict resolution, and a detailed explanation. You review and merge. Nothing ships without your approval.

What compliance frameworks do you support?

Controls are aligned with SOC 2, ISO 27001, GDPR, PCI, and SMB 1001, with SLA-based metrics including MTTR, resolution rates, and scan coverage. Certification is in progress; Enterprise supports custom frameworks.

Find and fix your technical debt.

Simple 3-click setup, or one command in your terminal. Run a free deep scan.