AI-native security · built for AI-generated code

AI writes the code.
We write the fixes.

PatchPilot scans every commit with 5 scanners, auto-creates fix PRs, and turns every finding into a CodeCoach micro-lesson. Built for teams shipping with AI coding tools.

5
Scanners
<30s
Avg scan
10+
CWE lesson types
Start for freeSee how it works
GitHub App — 2-min install
No code stored
patchpilot — zsh
LIVE SCAN
|
acme/frontend · main
CRIT: 1HIGH: 2MED: 2
PR #247 patched
5 lessons queued
Semgrep SASTGitleaks secretsTrivy SCABearer SASTAI pattern detectionGhost dependency scannerPrompt injection detectionVibe code risk scoreAuto-patch PRsCodeCoach lessonsCWE knowledge baseGitHub App integrationWebhook-driven scanningMulti-repo dashboardAI attribution analysisSemgrep SASTGitleaks secretsTrivy SCABearer SASTAI pattern detectionGhost dependency scannerPrompt injection detectionVibe code risk scoreAuto-patch PRsCodeCoach lessonsCWE knowledge baseGitHub App integrationWebhook-driven scanningMulti-repo dashboardAI attribution analysis
Live
14,291
vulnerabilities auto-patched today
+429 from yesterday
1,143critical
4,430high
8,718medium
Recent patcheslive stream
cursor/extension[MED]
http:// → https:// enforced24s ago
forge/backend[MED]
CWE-611: XXE disabled2m ago
startupxyz/frontend[HIGH]
CWE-918: SSRF blocked22s ago
windsurf/ide[HIGH]
CWE-89: SQL injection fixed33s ago
anthropic/sdk[CRIT]
CWE-798: Secret rotated2m ago
forge/backend[CRIT]
CWE-798: Secret rotated15s ago
The AI code problem

Traditional scanners were built
before AI wrote your code.

In 2026, most production code is written by AI. This creates entirely new attack surfaces that Snyk, SonarQube, and legacy SAST tools simply cannot detect.

0%
of code is AI-assisted
GitHub Copilot, Cursor, and Claude now touch the majority of production commits.
0.0×
more vulns in AI-gen repos
AI models replicate insecure patterns from training data at scale.
0%
of leaked secrets from AI keys
Models generate realistic-looking placeholder keys that get committed as "temporary".
0%
of legacy scanners catch ghost deps
AI hallucinates package names that attackers pre-register to inject malicious code.
SAST
BEFOREDevelopers write insecure code
NOWAI confidently generates stale insecure patterns
SCA
BEFOREKnown vulnerable packages
NOWAI hallucinates package names — attackers register them instantly
SECRETS
BEFORESecrets committed to code
NOWAI generates realistic-looking placeholder keys that get committed
SUPPLY CHAIN
BEFOREManual code review catches bugs
NOWPRs merged in minutes with "LGTM from Copilot"
PatchPilot

Scan. Patch.
Repeat automatically.

The security engineer that never sleeps. PatchPilot monitors every repository 24/7, runs 5 scanners in parallel, and pushes fix PRs before your morning standup.

Start scanning for free
Semgrep
Gitleaks
Trivy
Bearer
AI Pattern Scanner
5-scanner hybrid pipeline
Semgrep, Gitleaks, Trivy, Bearer, and our custom AI pattern scanner run in parallel on every commit.
Auto-patch PR creation
For SAST findings, PatchPilot rewrites the vulnerable code. For CVEs, it bumps the dependency. PR opened automatically.
Ghost dependency scanner
Detects AI-hallucinated package names that don't exist in npm/PyPI — a critical AI-era attack vector.
Vibe code risk scoring
4-signal risk score: AI attribution ratio, test coverage, PR velocity, secret entropy. Escalates severity on AI-heavy files.
Prompt injection detection
10-rule scanner catches taint-tracked template literals, raw req.body → LLM calls, and missing input sanitization in AI features.
Webhook-driven continuous scan
Install the GitHub App once. Every push triggers a background scan — no CI configuration required.
CWE-89
SQL Injection — Parameterized Queries
HIGH
src/api/users.ts:89
Vulnerable
const query = `SELECT * FROM users WHERE id = ${userId}`;
+ Fixed
const query = await db.query( 'SELECT * FROM users WHERE id = $1', [userId] );
Lesson progress75%
Streak7-day streak
CodeCoach

Learn from every
vulnerability you ship.

Instead of a Jira ticket saying "fix SQL injection," CodeCoach gives every developer a micro-lesson — the vulnerable code, the fix, the CWE explanation, and a quiz. Security knowledge compounds over time.

1
Lessons from your actual bugs
Every finding becomes a micro-lesson with the vulnerable code, the fix, and the CWE explanation — all in context of your repo.
2
Quiz mode with real CVE scenarios
Test your understanding with multiple-choice questions built from real-world CVE examples matching your stack.
3
Streak & skill tracking
Daily streaks, 91-day activity grids, and skill badges as developers learn from each vulnerability class.
4
Engineering summary reports
Weekly AI-generated summaries of your security posture, patterns found, and team skill progression.
How it works

From vulnerability to
lesson in one pipeline.

01
60 second setup

Connect your GitHub

Install the PatchPilot GitHub App in under 60 seconds. Select repositories — private or public. No CI configuration required.

02
< 30s scan time

Every push triggers a scan

On each commit or PR, PatchPilot runs 5 scanners in parallel: Semgrep, Gitleaks, Trivy, Bearer, and AI pattern detection. Scans complete in under 30 seconds.

03
Zero manual work

Auto-patch PR created

For every SAST finding, PatchPilot rewrites the vulnerable line. For CVEs, it bumps the dependency version. A PR is opened with a structured security comment.

04
Skill builds over time

CodeCoach lesson assigned

Every finding becomes a personalized micro-lesson in CodeCoach. Developers learn the CWE, see the fix in context, and complete a short quiz. Knowledge stacks.

Pricing

Start free. Scale with your team.

No credit card required on the free tier. Cancel anytime on paid plans. Annual billing saves 20%.

Free
Open source. Always free.
$0forever
Get started free
  • 5 scans / month
  • Public repositories only
  • Semgrep + Gitleaks scanners
  • Basic CodeCoach lessons
  • GitHub App integration
  • Community support
  • No private repos
  • No auto-patch PRs
  • No AI attribution
Starter
For solo devs and small teams.
$29/ month
Start 14-day trial
  • 50 scans / month
  • Public + private repos
  • All 5 scanners
  • Full CodeCoach with AI lessons
  • Auto-patch PR creation
  • Ghost dependency scanner
  • Email support
Most popular
Pro
For teams shipping at velocity.
$99/ month
Start 14-day trial
  • Unlimited scans
  • Everything in Starter
  • AI attribution analysis
  • Prompt injection scanner
  • Vibe code risk scoring
  • Team workspace (5 seats)
  • Webhook integrations
  • Slack notifications
  • Priority support
Enterprise
For organizations at scale.
Custom
Contact sales
  • Everything in Pro
  • Unlimited seats
  • SSO / SAML
  • On-premise deployment
  • Custom scanner rules
  • SLA guarantee (99.9%)
  • Dedicated customer success
  • Custom integrations
  • Audit logs
All paid plans include a 14-day free trial. Save 20% with annual billing. Questions? Talk to us.

Frequently asked questions

How is PatchPilot different from Snyk or SonarQube?
Traditional tools scan for known CVEs and common patterns. PatchPilot uniquely detects AI-era attack surfaces: ghost dependencies (hallucinated package names), stale AI code patterns, AI-attributed files that need severity escalation, and prompt injection in LLM integrations. No other scanner does all five.
What is a 'ghost dependency'?
When AI coding tools suggest package names, they sometimes hallucinate names that don't exist in npm or PyPI. Attackers monitor registries for these names and publish malicious packages. PatchPilot detects packages in your manifest that have no entry in the registry.
Does PatchPilot store my source code?
No. PatchPilot downloads your repository to an ephemeral temp directory for scanning, then immediately deletes it after the scan completes. We never persist your code. Only finding metadata (file path, line range, CWE) is stored.
How does the auto-patch PR work?
For SAST findings (SQL injection, XSS, etc.), PatchPilot rewrites the vulnerable code using a rule-based patch engine. For SCA findings (vulnerable npm/pip packages), it bumps the version to the patched release. The PR is opened against your base branch with a detailed security comment.
Can I use CodeCoach without PatchPilot?
CodeCoach works best with PatchPilot findings, but you can also ingest findings from your existing Semgrep, Snyk, or GitHub Advanced Security setup via the CodeCoach webhook API.
Is there a self-hosted option?
Yes — the Enterprise plan includes on-premise deployment. You run PatchPilot inside your VPC; no findings leave your network. We provide Docker images and a Helm chart.
Start securing your AI-generated code
today. For free.

Install the GitHub App in 60 seconds. Your first 5 scans are free, forever. No credit card. No setup. No CI configuration.

Get started freeTalk to sales
No credit card required
Code never stored
Cancel anytime
Open source scanner core