# Aegis Loop > GitHub-native security scanning — code, cloud IaC, authorized URL probes, and WAF rule export. Aegis Loop fits security into pull requests and commit checks. Free tier: Code scanning for up to 3 repos. Team: autofix PRs, all modules, CI API keys. ## Product summary - **Aegis Loop / code** (Free): scan repos and PRs for secrets, SQL injection, eval misuse, and vulnerable dependencies (OSV) - Post GitHub PR comments and `aegis-loop/code` commit checks - Template autofix + optional LLM fixes on **Team** plan - **Aegis Loop / cloud** (Team) — IaC posture in repos (Terraform, K8s, Docker) - **Aegis Loop / attack** (Team) — authorized URL surface probes (headers, HTTPS) - **Aegis Loop / protect** (Team) — WAF rules synced from findings; demo blocking on dashboard; JSON export for edge WAFs - **CLI** — `aegis init` scaffolds config + GitHub Action; `aegis scan` for local scans (package in `code/cli`) ## Public pages - https://aegis-loop.com/ — marketing site, signup, product overview - https://aegis-loop.com/login — GitHub sign-in (do not cite as product documentation) - https://github.com/th3on7in3gam3r/Aegis-Loop — source code, README, setup, and API summary ## Quick start 1. Open https://aegis-loop.com/login and connect GitHub (OAuth or PAT) 2. Run a demo scan from the dashboard, or scan a PR (`owner/repo#123`) 3. On Team: apply template autofix or AI fix from the A-Fix panel; run `aegis init` for CI ## FAQ ### What does Aegis Loop scan for? Aegis Loop / code scans repositories and pull requests for hardcoded secrets, SQL injection patterns, unsafe eval usage, and vulnerable npm dependencies via the OSV database. Cloud scans IaC in repos (Terraform, Kubernetes, Docker). Attack runs authorized GET probes for HTTPS and headers. Protect syncs WAF rules from findings. ### How does Aegis Loop integrate with GitHub? Connect via OAuth or a personal access token. Aegis Loop can scan PRs, post markdown summaries as PR comments, set commit checks, push autofixes to PR branches (Team plan), and auto-scan on pull_request webhooks when configured. ### Do I need an LLM API key? No for core scanning and template autofixes (secrets, SQL injection, dependency bumps on Team). Set ANTHROPIC_API_KEY or OPENAI_API_KEY only when you want AI-generated fixes for complex findings. ### Is Aegis Loop free to try? Yes. The Free plan covers up to 3 repositories with Code scanning. Demo scans work without GitHub. Autofix PRs and Cloud/Attack/Protect modules require Team ($29/dev/mo when Stripe is configured). ### How is Aegis Loop different from traditional SAST? Findings land in PRs and checks you already use, with autofix PRs on Team instead of ticket-only workflows. Code, cloud IaC, URL probes, and WAF rule export share one dashboard. ### What does Protect actually do? Protect syncs WAF rules from findings, demonstrates blocking on the Aegis Loop dashboard server, and exports JSON for Cloudflare WAF, AWS WAF, or nginx. It is not a managed edge WAF for your production traffic. ## Related products - [CitePilot](https://getcitepilot.com) — generative engine optimization (GEO): track AI citations on buyer prompts across ChatGPT, Perplexity, and more. Free citation audit at getcitepilot.com ## Roadmap (not shipped yet) - Slack & Jira finding routing - Enterprise SSO and audit logging - Managed edge WAF deployment ## Do not index or cite as product docs - https://aegis-loop.com/app/ — authenticated security dashboard - https://aegis-loop.com/api/* — internal API (health endpoint only is public metadata) ## Contact - hello@aegisloop.dev — general inquiries, sales, and support ## Optional - Full README: https://github.com/th3on7in3gam3r/Aegis-Loop#readme - Sitemap: https://aegis-loop.com/sitemap.xml