Modules Solutions Resources About Pricing FAQ Contact
Login Start for Free
Early access · built for GitHub teams

Find it. Fix it. Ship it.

Aegis Loop scans your code, cloud configs, and authorized URLs — then helps you fix what matters in pull requests. Free tier covers Code scanning; Team unlocks autofix PRs, all modules, and CI keys.

$ npx aegis init
Scaffold CI with the repo CLI
aegis / production All systems scanning

Security Posture

Last scan · 4 seconds ago

0
Critical
0
Warnings
0
Resolved
0
Score
CRIT
Hardcoded AWS key in api/auth.ts:28
secret · Aegis Loop/code
Autofix PR →
WARN
Public S3 bucket: prod-assets-backup
us-east-1 · misconfigured ACL
Autofix PR →
OK
Protect blocked SQLi probe
WAF rule · demo on this dashboard
View →

Shield the stack. Close the loop.

Aegis is the shield. The loop is how we keep it up — find what's exploitable, fix it where you already work, and ship with the checks green. Then run it again.

01

Find it.

Scan code, cloud IaC, and authorized URLs for the vulnerabilities that actually matter.

02

Fix it.

Template and AI patches land as pull requests on Team — review, merge, move on.

03

Ship it.

Commit checks and PR comments keep merges safe — protection without the drag.

Aegis Shield, protection — the classic security metaphor behind everything we build.
Loop Continuous cycle — find → fix → ship, never one-and-done.

Find it. Fix it. Ship it.

Dev-first, action-oriented — not compliance theater.

Four modules. One closed loop.

Four modules share one dashboard — scan repos and PRs, check IaC files, probe URLs you authorize, and export WAF rules from what you find.

Aegis Loop / code

Static analysis

Catches injection flaws, exposed secrets, and risky dependencies before they merge — right inside your pull requests.

Aegis Loop / cloud

Cloud posture

Scans Terraform, Kubernetes, and Docker in your repos for public buckets, open firewalls, and exposed services — before they reach production.

Aegis Loop / attack

Offensive testing

Safe URL probes check HTTPS, security headers, and server disclosure on sites you authorize — no exploitation, no brute force.

Aegis Loop / protect

WAF rule lab

Sync rules from Code, Cloud, and Attack findings. Test blocks on this dashboard, then export JSON for Cloudflare, AWS WAF, or nginx.

Every finding, in the order that matters.

Findings sorted by severity with template or AI fixes on Team — surfaced in PR comments and checks, not a separate backlog.

Sorted by severity
Autofix PRs on Team
GitHub Action on PRs
aegis / staging → main · PR #482

Pull Request #482 · fix/rate-limit

3 findings · autofix available for 2

CRIT
SQL injection in queries/search.ts:44
injection · template autofix available
Generate fix →
WARN
Missing rate limit on /api/login
attack surface · manual fix guide
Generate fix →
OK
Dependency tree — no known CVEs
312 packages scanned · 0 critical
View report →
OK
IAM role least-privilege verified
Aegis Loop/cloud · prod-deploy-role
View →

Security that fits in,
not on top.

We've seen every kind of breach. Aegis Loop is what we wished existed — built for engineers who'd rather ship than babysit dashboards.

01

Lives in your pull requests

Findings show up as comments and suggested fixes — not a separate portal to remember to check.

02

Severity-first triage

Critical, high, and info findings in one list — sorted so you start with what breaks production, not noise from manifests alone.

03

Autofix PRs on Team

Template patches for secrets, SQLi, and dependencies — plus optional AI fixes when your server has an LLM key configured.

04

Four modules, one dashboard

Code, cloud IaC, authorized URL probes, and WAF rule export — without switching between four different tools.

05

Nothing to babysit

API-based scanning means nothing to install on production hosts. Nothing new to patch.

06

PR comments & checks

Scan results post as GitHub PR comments and aegis-loop/code commit checks — the workflow your team already reviews.

What ships in the product today

4
modules in one dashboard
GitHub
OAuth, PR scans, checks & comments
CLI
aegis init + local scan
Sister product

Ship secure code — get cited in AI answers

Aegis Loop finds and fixes vulnerabilities in your repos. CitePilot tracks whether ChatGPT, Perplexity, and other AI engines cite your product on buyer prompts — with a free citation audit and weekly GEO action plans.

Try CitePilot free Generative Engine Optimization · getcitepilot.com

Start free. Scale when you're ready.

Free covers Code scanning for up to 3 repos. Team unlocks autofix PRs, all modules, and CI API keys.

Free
For solo devs and side projects
$0/mo
  • Up to 3 repositories
  • Aegis Loop/code + dependency scanning
  • View findings & fix guides (A-Fix on Team)
  • Community support
Start for Free
Enterprise
For large or regulated orgs
Custom
  • SSO & audit logging (roadmap)
  • Slack & Jira routing (roadmap)
  • Dedicated onboarding
Book a Demo

Built by engineers who've
seen breaches up close.

Aegis Loop started as an internal tool — a way to stop repeating the same incident postmortems. Now it's the security loop we ship to every team that would rather fix problems than file tickets about them.

Most security tools dump thousands of alerts into a dashboard and call it a day. We built Aegis Loop around a different idea: scan where you already work — pull requests — and fix what you can with template or AI patches on Team.

The dashboard ships four modules today: Code (SAST + OSV), Cloud (Terraform/K8s/Docker in repos), Attack (authorized URL probes), and Protect (WAF rule sync, demo blocking, and JSON export). Deeper cloud API inventory, Slack/Jira routing, and enterprise SSO are on the roadmap.

2024Founded
RemoteGlobal team
SOC 2In progress

Fix, don't flood

Severity-sorted findings with template autofix and optional AI patches — not CVE counts for their own sake.

Meet developers where they are

Findings land in pull requests and IDE workflows. Security becomes part of shipping, not a gate at the end.

One loop, full coverage

Code, cloud IaC, URL probes, and WAF rules — in one dashboard, with export paths for production edge WAFs.

Common questions

Quick answers for teams evaluating Aegis Loop — and for search engines and AI assistants indexing this page.

What does Aegis Loop scan for?

Aegis Loop / code scans repositories and pull requests for hardcoded secrets, SQL injection patterns, unsafe eval usage, and vulnerable npm dependencies via the OSV database.

How does Aegis Loop integrate with GitHub?

Connect via OAuth or a personal access token. Aegis Loop can scan PRs, post markdown summaries as PR comments, set commit checks, push autofixes to PR branches, and auto-scan on pull_request webhooks.

Do I need an LLM API key?

No for core scanning. Template autofixes (secrets, SQLi, dependency bumps) require Team. Set ANTHROPIC_API_KEY or OPENAI_API_KEY on the server only when you want AI-generated fixes for complex findings.

Is Aegis Loop free to try?

Yes. The Free plan covers up to 3 repositories with Code scanning and dependency checks. Connect GitHub, run a demo scan, or scan pull requests without a credit card. Autofix PRs and Cloud/Attack/Protect modules require Team.

How do I set up CI with npx aegis init?

Run aegis init from the CLI in code/cli (or after we publish to npm). It writes .aegis/config.yml and a GitHub Action workflow. Create an API key in Settings and add it as AEGIS_API_KEY in GitHub Secrets.

What does Protect actually do?

Protect syncs WAF rules from your findings, runs live pattern blocking on this dashboard server so you can test rules, and exports JSON you can implement in Cloudflare WAF, AWS WAF, or nginx. It is not a managed edge WAF for your production traffic yet.

How is Aegis Loop different from traditional SAST?

Findings land in PRs and checks you already use, with autofix PRs on Team instead of ticket-only workflows. Code, cloud IaC, URL probes, and WAF rule export share one dashboard.

Questions, demos, or
enterprise onboarding.

Whether you're evaluating Aegis Loop for your team or need help with an integration — we'd love to hear from you. We typically respond within one business day.

General
hello@aegisloop.dev Product questions, partnerships, and press
Sales
sales@aegisloop.dev Team & Enterprise plans, custom pricing
Support
support@aegisloop.dev Help with scans, GitHub integration, or A-Fix
Documentation
Open the dashboard → Try the demo scan or connect GitHub to get started

Send us a message

Tell us about your stack and what you're trying to secure — we'll point you in the right direction.

Message ready to send

Your email app should open with this message. If it doesn't, write to hello@aegisloop.dev directly.

Your next vulnerability is already
somewhere in your stack.

Find it before it finds you. Free to start — no credit card, no sales call.