Three Scanning Engines
Comprehensive Coverage, No Gaps
Each scanner brings unique strengths. Together, they catch vulnerabilities that any single tool would miss.
Semgrep
Industry-leading static analysis using security-audit and OWASP Top 10 rulesets to detect code pattern vulnerabilities, injection flaws, and insecure coding practices.
Trivy
Comprehensive dependency scanning that identifies known CVEs in your package dependencies, ensuring your supply chain stays secure.
AI Analysis
Deep semantic analysis powered by advanced AI that understands business logic, identifies context-specific vulnerabilities, and catches issues traditional scanners miss.
What We Detect
8+ Vulnerability Categories
From injection attacks to business logic flaws, our scanning covers the full spectrum of modern security threats.
Authentication & Authorization
Broken auth flows, missing authorization checks, JWT vulnerabilities, session fixation, OAuth misconfigurations, and privilege escalation paths.
Business Logic Flaws
Race conditions, TOCTOU vulnerabilities, price manipulation, workflow abuse, state machine issues, and bypass of business rules.
Data Security
Unencrypted PII, insufficient input validation, mass assignment, information disclosure, sensitive data in logs, and missing data retention policies.
API Security
Missing rate limiting, CORS misconfigurations, GraphQL vulnerabilities, insecure deserialization, SSRF, and API key exposure.
Cryptography
Weak algorithms (MD5, SHA1, DES), hardcoded secrets and API keys, insecure random generation, improper certificate validation.
Infrastructure as Code
Overly permissive IAM policies, exposed secrets in config files, insecure defaults, container security issues, and missing firewall rules.
Injection Vulnerabilities
SQL injection, command injection, path traversal, template injection, XML/XXE attacks, and LDAP injection in directory queries.
Additional Concerns
Insecure direct object references (IDOR), missing security headers, outdated dependencies, debug endpoints left enabled.
OWASP Top 10 Coverage
Our scanning stack covers all OWASP Top 10 vulnerability categories through a combination of Semgrep rules, Trivy dependency scanning, and AI-powered analysis.
Broken Access Control
IDOR, privilege escalation, missing authorization checks
Cryptographic Failures
Weak algorithms, hardcoded secrets, insecure crypto
Injection
SQL, Command, Template, XSS, LDAP injection
Insecure Design
Business logic flaws, missing security controls
Security Misconfiguration
CORS, headers, debug endpoints, IAM policies
Vulnerable Components
Known CVEs in dependencies, outdated packages
Auth Failures
Broken authentication, session management issues
Data Integrity Failures
Insecure deserialization, CI/CD vulnerabilities
Logging & Monitoring Failures
Insufficient logging, missing security events
Server-Side Request Forgery
SSRF through URL parameters, webhooks
Based on the OWASP Top 10 2021 standard
How It Works
Secure Scanning Pipeline
From clone to cleanup, every step is designed with security in mind.
Isolated Environment
Your code is cloned into a secure, isolated Docker container. Each scan runs in complete isolation from other scans.
Semgrep Analysis
Fast static analysis scans your code for known vulnerability patterns using comprehensive security rulesets.
Dependency Scan
Trivy scans your package manifests and lock files to identify known CVEs in third-party dependencies.
AI Deep Analysis
Advanced AI performs semantic analysis to understand business logic and identify context-specific vulnerabilities.
Results Aggregation
All findings are combined, deduplicated, and classified by severity: critical, high, medium, or low.
Secure Cleanup
Temporary files and containers are immediately destroyed. Your source code is never stored permanently.
Actionable Results
Clear, Actionable Findings
Every vulnerability comes with the context you need to fix it quickly. No more hunting through vague reports or guessing what to do next.
Severity Classification
Critical, high, medium, and low severity levels help you prioritize what to fix first.
Precise Location
Exact file paths and line numbers point you directly to the vulnerable code.
AI Recommendations
Detailed descriptions and actionable recommendations to remediate each issue.
Auto-Resolution Tracking
Tasks automatically resolve when vulnerabilities are fixed in subsequent scans.
Scan Results
SQL Injection in User Query
Unsanitized user input in database query allows SQL injection attacks.
src/api/users.ts:47 Vulnerable Dependency: lodash
CVE-2021-23337: Prototype pollution in lodash < 4.17.21
package.json Missing Rate Limiting on Auth Endpoint
Login endpoint lacks rate limiting, enabling brute force attacks.
src/auth/login.ts:12 Your Code, Protected
Security & Privacy First
We take the security of your code as seriously as we help you secure it. Here's how we protect your intellectual property.
Isolated Docker Containers
Each scan runs in a dedicated Docker container with no access to other scans or system resources.
No Permanent Storage
Your source code is cloned temporarily and deleted immediately after analysis completes.
Encrypted Transmission
All data is encrypted in transit using TLS 1.3. We use GitHub App tokens with minimal required permissions.
Minimal Permissions
Our GitHub App only requests read access to repository contents. We never write to your repositories.
Built for Modern Development
Perfect for AI-Assisted Coding
AI coding tools are powerful but can introduce security blind spots. CursorGuard catches what your AI assistant might miss.
Catches AI Blind Spots
AI coding tools often generate code with subtle security issues. Our multi-layered scanning catches what AI assistants miss.
Works With Your Tools
Seamlessly integrates with Cursor, GitHub Copilot, Lovable, and any AI-assisted development workflow through GitHub.
Automatic on Push
Configure branch watching to automatically scan on every push, catching issues as soon as AI-generated code lands.
Works with your favorite AI tools
Start Securing Your Code Today
Get started with 10 free scans per month. No credit card required. Connect your GitHub and run your first scan in under 2 minutes.