Find vulns. Autofix. Merge the PR.
Deep semantic analysis that catches the SQL injection, broken auth, race conditions, and logic flaws that SAST tools miss, then ships tested fix PRs you can merge with confidence.
No credit card required · 7-day free trial
// trusted by teams shipping AI infrastructure
Ranked #1, ahead of every frontier model.
RealVuln is an open-source benchmark of real vulnerabilities across production-style repositories. We publish the results so you don't have to take our word for it.
Methodology: RealVuln v2.0 evaluates detection across 66 production-style repositories, spanning human-authored and vibe-coded code totalling 133,782 lines, each with known, verified flaws. Scores use the strict F3 metric. Every figure on this page is pinned to a benchmark version and snapshot date.
92% of Proposed Fixes Get Merged.
Review a finding, propose an AI fix, open the pull request, and merge it in GitHub. The finding closes itself.
| Severity | Finding | File | Status |
|---|---|---|---|
| Critical | Second-Order SQL Injection in Report Builder | src/analytics/ReportBuilder.ts:47 | Fix Ready |
| Critical | JWT Audience Confusion in Auth Middleware | src/middleware/auth.ts:112 | Fix Ready |
| Critical | Unsafe Deserialization in Product Config | src/config/ProductLoader.ts:89 | Needs Review |
| High | CORS Subdomain Injection via Wildcard Match | src/middleware/cors.ts:34 | Fix Ready |
| High | Time-of-Check Race Condition in File Access | src/storage/FileManager.ts:156 | Open |
| High | Token Refresh Race Condition | src/auth/TokenService.ts:78 | Fix Ready |
The whole Platform, In your Terminal.
The official @kolegaai/cli exposes the full public API: authenticate, scan, triage findings, generate AI fixes, and open pull requests without leaving the shell. Built for CI and automation.
npm · @kolegaai/cli · requires Node.js 22+
Cut 90% of false positives. Review only what matters.
Stop drowning in alerts. Kolega DevSec groups, deduplicates, and prioritises so your team focuses on real risk.
The engine is open source. Start free, keep control.
Kolega Scan is the open-source detection engine behind the platform — self-hosted, provider-agnostic, no account and no usage caps. Run it locally or in CI. When you want tested autofix PRs, noise reduction, and the benchmark-leading detection intelligence, connect the same harness to the hosted platform — no re-instrumenting.
Choose your plan.
Free and open source forever, or go hosted for autofix PRs and deep-AI detection.
Free
OPEN SOURCECore
Max
COMING SOONEnterprise
Both paid plans include 1,500 scan & fix credits a month, spent across scans and autofix PRs, with no limits on lines of code or number of fixes. As a guide, that's about 3 deep scans of 100k LOC on the Core engine, 6 on the Max engine, or roughly 20 autofix PRs. Available models depend on your plan, bring-your-own keys unlock on Max and above, and you can top up anytime.
Frequently asked questions
Your code is cloned into isolated, ephemeral containers for scanning and deleted immediately after. We never store source code at rest. Enterprise customers can run self-hosted runners in their own infrastructure for full data sovereignty.
Traditional SAST matches known patterns. Kolega DevSec adds deep semantic analysis that understands code intent, catching logic flaws, race conditions, cross-boundary injection, and architectural vulnerabilities pattern-matching misses.
No. Three clicks in the web app (OAuth, select repos, scan) gets most teams scanning in under 3 minutes. But the official @kolegaai/cli and public API are there when you want terminal control, automation, or CI gates.
Every generated PR includes regression tests that prove the fix works, conflict resolution, and a detailed explanation. You review and merge. Nothing ships without your approval.
Controls are aligned with SOC 2, ISO 27001, GDPR, PCI, and SMB 1001, with SLA-based metrics including MTTR, resolution rates, and scan coverage. Certification is in progress; Enterprise supports custom frameworks.
Find and fix your technical debt.
Simple 3-click setup, or one command in your terminal. Run a free deep scan.