Frequently Asked Questions

GitGuard is a comprehensive security scanning platform for your code. We detect 200+ vulnerability patterns across categories like SQL injection, XSS, CSRF, SSRF, command injection, path traversal, cryptographic weaknesses, hardcoded secrets, and more. Beyond pattern matching, we offer AI-powered analysis, dependency scanning, secret detection, Infrastructure-as-Code scanning, PR-level scanning, compliance reporting, and a CLI tool for local scanning. Think of us as your code's entire security department - except we don't require a break room or a Slack channel for memes.

Nope! That's the whole point. We explain vulnerabilities in plain English (well, mostly plain), provide remediation steps with code examples, and even offer AI-generated auto-fix suggestions. You don't need a PhD in cybersecurity - just the ability to read and care about your code not being a security nightmare.

Free gives you 5 scans/day with 50+ basic vulnerability patterns - great for trying things out. Pro ($19/month) bumps you to 100 scans/day and unlocks AI-enhanced scanning, auto-fix suggestions, PR security scanning, security trends dashboard, custom regex rules, CVSS scoring, report exports, and scan sharing. Premier ($29/month) goes unlimited and adds secret scanning, dependency scanning, license compliance, API security scanning, IaC scanning, Semgrep integration, DDoS testing, continuous monitoring, webhook alerts, compliance reports, custom natural language rules, and more. Check our pricing page for the full comparison - it's a lot.

Upgrades take effect immediately - you get instant access to new features. Downgrades are scheduled for the end of your current billing period, so you keep enjoying your current tier benefits until then. We're not monsters.

It's like having a senior security engineer review your code, except it doesn't drink all your coffee or have strong opinions about tabs vs spaces. AI scanning provides detailed vulnerability analysis, context-aware remediation steps, CVSS severity scoring, and even auto-fix code suggestions you can preview as diffs. We use multiple AI models with automatic fallback to keep things fast and reliable. Available in Pro and Premier tiers.

Auto-fix (Pro/Premier) uses AI to generate actual secure code replacements for vulnerabilities we find. You get a diff preview showing exactly what changes, so you can review before applying anything. We won't auto-commit to your repo because we've seen what happens when bots push code unsupervised. The fixes are included in your scan results and exports too.

PR scanning (Pro/Premier) integrates directly with GitHub pull requests. When a PR is opened or updated, we automatically scan the changed files and create a GitHub Check Run with inline annotations pointing directly to vulnerable lines. Your reviewers get security context without leaving the PR. It's like having a security-obsessed coworker who reviews every PR in seconds and never gets distracted by cat videos.

Dependency scanning (Premier tier) checks all your package dependencies for known vulnerabilities, typosquatting, and dependency confusion attacks. We support npm (package.json), Python (requirements.txt, Pipfile), Ruby (Gemfile), Go (go.mod), Java (pom.xml), and Scala (build.sbt). Because using that npm package with 47 dependencies from 2016 might not be your best security move. We'll tell you which dependencies are sketchy, why, and how to fix them.

Secret scanning (Premier tier) finds API keys, passwords, tokens, and other sensitive data accidentally committed to your repo. We detect AWS keys, GitHub tokens, Stripe keys, JWT tokens, database connection strings, private keys, Slack tokens, SendGrid keys, Twilio keys, OpenAI keys, Google API keys, and more. Yes, that AWS key you committed at 3 AM last Tuesday. We find it before hackers do.

IaC scanning (Premier tier) checks your infrastructure configuration files for security misconfigurations before they become production nightmares. We scan Terraform (.tf), CloudFormation (YAML/JSON), Kubernetes manifests, Docker Compose files, and Dockerfiles. We catch things like overly permissive security groups, public S3 buckets, missing encryption, exposed ports, hardcoded secrets in configs, and overly permissive IAM policies. Because finding out your S3 bucket is public from a Twitter thread is not ideal.

API security scanning (Premier tier) analyzes your OpenAPI specs and GraphQL schemas for security issues. We check for missing authentication, missing rate limiting, mass assignment vulnerabilities, GraphQL introspection exposure, batching attacks, and more. If your API has security gaps, we'll find them before someone with less noble intentions does.

Custom rules let you define your own security checks tailored to your codebase. Pro tier gets custom regex pattern rules - define a pattern, set a severity, target specific file types, and we'll scan for it. Premier tier adds natural language rules where you describe what you're looking for in plain English and our AI interprets it. Perfect for catching project-specific anti-patterns your team keeps introducing at 4:59 PM on Fridays.

Compliance reports (Premier tier) map your scan results to industry security frameworks including OWASP Top 10, PCI-DSS, SOC2, HIPAA, and CIS Controls. Great for audits, security reviews, and convincing your compliance team that you actually take security seriously. Each report shows which controls are covered, what passed, and what needs attention.

Security trends (Pro/Premier) tracks your security posture over time with charts showing your security score progression, vulnerability severity counts, and findings trends across 30-day, 90-day, and yearly views. It's like a fitness tracker for your code's security health - except the numbers going down is actually a good thing here.

With Premier tier, you can schedule automatic scans of your repositories - hourly, daily, or weekly. We'll continuously monitor your code and alert you via email the moment new vulnerabilities are detected. You can monitor specific branches across multiple repos. It's like having a security guard who never sleeps, never takes breaks, and never eats your lunch from the office fridge.

Webhook alerts (Premier tier) let you send scan results to your own systems via HTTP POST. Perfect for integrating with Slack, Discord, PagerDuty, or your custom dashboard. When we find something, you'll know instantly - no logging in required.

Yes! With Pro and Premier tiers, you can generate shareable links to your scan results. You can add password protection and set expiration dates for extra security. Great for sharing findings with teammates who don't have GitGuard accounts, or for including in security review documentation.

Pro and Premier tiers can export scan results in CSV, JSON, and HTML formats. Reports include full vulnerability details, CVSS scores, confidence levels, AI remediation suggestions, and auto-fix explanations. Premier exports also include secrets, dependency findings, license issues, and compliance data. Perfect for audits, team reviews, or printing out and dramatically dropping on your manager's desk.

Yes! The GitGuard CLI (@gitguard/cli on npm) lets you scan code locally from your terminal. Run it in any directory, pipe results as JSON for CI/CD pipelines, or use it as a pre-commit check. It supports all the same scan options as the web platform - AI analysis, dependency scanning, secret scanning, CVSS scoring, compliance reports, and more. Exit code 1 on critical/high findings makes it perfect for failing builds that deserve to fail.

Yes! We only access your repositories temporarily during scans. We don't store your source code, we don't sell your data, and we definitely don't use it to train our own AI to take over the world. Your GitHub tokens are encrypted and never logged in plain text. Your secrets are safe with us (unlike that password you hardcoded in production last week).

Sort of! With auto-fix suggestions (Pro/Premier), our AI generates secure code replacements that you can preview as diffs before applying. We won't auto-commit fixes to your repo though - because automatically changing code is how you end up on r/programminghorror. You review, you decide, you apply. We just make it really easy.

We scan JavaScript, TypeScript, Python, PHP, Java, Ruby, Go, C#, Swift, Kotlin, Rust, C, C++, and Scala. Plus we scan infrastructure files like Terraform, CloudFormation, Kubernetes manifests, and Dockerfiles. If your code can have security vulnerabilities (spoiler: it can), we probably scan it. If we don't support your language yet, let us know - we're always expanding our security empire.

Usually just a few seconds for basic scans. AI-enhanced scans take a bit longer (AI needs time to think, unlike some humans). Comprehensive Premier scans with all features enabled might take 30-60 seconds. Either way, it's faster than manually reviewing thousands of lines of code while questioning your life choices.

Absolutely! We're not a gym membership. Cancel anytime from your account settings. If you downgrade or cancel, you'll keep your current tier until the end of your billing period. We'll be sad to see you go, but we won't guilt-trip you about it. Much.

If you're unhappy within the first 7 days of a paid subscription, we'll refund you. After that, we follow standard monthly billing - cancel anytime and you won't be charged again. Fair and simple.

If you're scanning hundreds of repos or need custom integrations, contact us about Enterprise pricing. We can tailor a solution for your team's needs, including on-premise deployment, SSO, and custom SLAs.

Ironic, right? But hey, we're human too (mostly). Report bugs through our contact page and we'll fix them faster than you can say 'undefined is not a function'. Bonus points if you include a funny bug report title.