Find it.
Scan code, cloud IaC, and authorized URLs for the vulnerabilities that actually matter.
Aegis Loop scans your code, cloud configs, and authorized URLs — then helps you fix what matters in pull requests. Free tier covers Code scanning; Team unlocks autofix PRs, all modules, and CI keys.
Last scan · 4 seconds ago
Aegis is the shield. The loop is how we keep it up — find what's exploitable, fix it where you already work, and ship with the checks green. Then run it again.
Scan code, cloud IaC, and authorized URLs for the vulnerabilities that actually matter.
Template and AI patches land as pull requests on Team — review, merge, move on.
Commit checks and PR comments keep merges safe — protection without the drag.
Find it. Fix it. Ship it.
Dev-first, action-oriented — not compliance theater.
Four modules share one dashboard — scan repos and PRs, check IaC files, probe URLs you authorize, and export WAF rules from what you find.
Catches injection flaws, exposed secrets, and risky dependencies before they merge — right inside your pull requests.
Scans Terraform, Kubernetes, and Docker in your repos for public buckets, open firewalls, and exposed services — before they reach production.
Safe URL probes check HTTPS, security headers, and server disclosure on sites you authorize — no exploitation, no brute force.
Sync rules from Code, Cloud, and Attack findings. Test blocks on this dashboard, then export JSON for Cloudflare, AWS WAF, or nginx.
Findings sorted by severity with template or AI fixes on Team — surfaced in PR comments and checks, not a separate backlog.
3 findings · autofix available for 2
We've seen every kind of breach. Aegis Loop is what we wished existed — built for engineers who'd rather ship than babysit dashboards.
Findings show up as comments and suggested fixes — not a separate portal to remember to check.
Critical, high, and info findings in one list — sorted so you start with what breaks production, not noise from manifests alone.
Template patches for secrets, SQLi, and dependencies — plus optional AI fixes when your server has an LLM key configured.
Code, cloud IaC, authorized URL probes, and WAF rule export — without switching between four different tools.
API-based scanning means nothing to install on production hosts. Nothing new to patch.
Scan results post as GitHub PR comments and aegis-loop/code commit checks — the workflow your team already reviews.
What ships in the product today
aegis init + local scanAegis Loop finds and fixes vulnerabilities in your repos. CitePilot tracks whether ChatGPT, Perplexity, and other AI engines cite your product on buyer prompts — with a free citation audit and weekly GEO action plans.
Free covers Code scanning for up to 3 repos. Team unlocks autofix PRs, all modules, and CI API keys.
Aegis Loop started as an internal tool — a way to stop repeating the same incident postmortems. Now it's the security loop we ship to every team that would rather fix problems than file tickets about them.
Most security tools dump thousands of alerts into a dashboard and call it a day. We built Aegis Loop around a different idea: scan where you already work — pull requests — and fix what you can with template or AI patches on Team.
The dashboard ships four modules today: Code (SAST + OSV), Cloud (Terraform/K8s/Docker in repos), Attack (authorized URL probes), and Protect (WAF rule sync, demo blocking, and JSON export). Deeper cloud API inventory, Slack/Jira routing, and enterprise SSO are on the roadmap.
Severity-sorted findings with template autofix and optional AI patches — not CVE counts for their own sake.
Findings land in pull requests and IDE workflows. Security becomes part of shipping, not a gate at the end.
Code, cloud IaC, URL probes, and WAF rules — in one dashboard, with export paths for production edge WAFs.
Everything you need to scan repos, wire GitHub, and ship autofixes — no hunting through menus.
Quick start, scanning workflows, A-Fix, GitHub integration, and API reference inside the dashboard.
Sign in to open docs → Setupaegis initScaffold .aegis/config.yml and a GitHub Action workflow. Run from code/cli until the package is on npm.
Clone locally, configure OAuth and webhooks, environment variables, and the full API summary.
View on GitHub → AnswersWhat we scan for, GitHub setup, LLM autofix, and how Aegis Loop compares to traditional SAST.
Read FAQ → Sister productMonitor money prompts across ChatGPT, Perplexity, and Google AI. Free citation audit — complements shipping secure software with being found in AI answers.
Visit getcitepilot.com → ReferenceMachine-readable product summary for AI assistants and search — public pages, capabilities, and contact info.
View llms.txt →Quick answers for teams evaluating Aegis Loop — and for search engines and AI assistants indexing this page.
Aegis Loop / code scans repositories and pull requests for hardcoded secrets, SQL injection patterns, unsafe eval usage, and vulnerable npm dependencies via the OSV database.
Connect via OAuth or a personal access token. Aegis Loop can scan PRs, post markdown summaries as PR comments, set commit checks, push autofixes to PR branches, and auto-scan on pull_request webhooks.
No for core scanning. Template autofixes (secrets, SQLi, dependency bumps) require Team. Set ANTHROPIC_API_KEY or OPENAI_API_KEY on the server only when you want AI-generated fixes for complex findings.
Yes. The Free plan covers up to 3 repositories with Code scanning and dependency checks. Connect GitHub, run a demo scan, or scan pull requests without a credit card. Autofix PRs and Cloud/Attack/Protect modules require Team.
npx aegis init?Run aegis init from the CLI in code/cli (or after we publish to npm). It writes .aegis/config.yml and a GitHub Action workflow. Create an API key in Settings and add it as AEGIS_API_KEY in GitHub Secrets.
Protect syncs WAF rules from your findings, runs live pattern blocking on this dashboard server so you can test rules, and exports JSON you can implement in Cloudflare WAF, AWS WAF, or nginx. It is not a managed edge WAF for your production traffic yet.
Findings land in PRs and checks you already use, with autofix PRs on Team instead of ticket-only workflows. Code, cloud IaC, URL probes, and WAF rule export share one dashboard.
Whether you're evaluating Aegis Loop for your team or need help with an integration — we'd love to hear from you. We typically respond within one business day.
Tell us about your stack and what you're trying to secure — we'll point you in the right direction.
Your email app should open with this message. If it doesn't, write to hello@aegisloop.dev directly.
Find it before it finds you. Free to start — no credit card, no sales call.