Skip to content
Our open-source security work.See the research
AI code reviews, free for open-source projects

The code reviewer that takes security seriously

A CWE-tagged security review on every pull request. Secrets, injection and vulnerable dependencies caught before merge. Free for public repos, forever.

  • GitHub + GitLab
  • No credit card
How it works

One install. Security review on every PR.

Security review runs on every PR

On open and push, Sebastion runs AI code audit plus dependency CVE and verified secret checks, then posts a fast walkthrough with pre-merge sanity checks.

Fixes and blockers appear inline

Findings land on the exact changed line with severity and MITRE CWE context. Small patches include one-click suggestions; critical findings can block auto-merge.

Inline review

A security review, right where you merge.

Sebastion posts findings as review comments on the pull request, with the exact lines to change, before anything ships.

Open

feat: Adding chat generation #53417

lewiswigmore wants to merge 2 commits into main from lewiswigmore/feature

Sebastionbotreviewed 2 minutes ago
api/chat/route.ts
25export async function POST(req: NextRequest) {
26 const { userId, messages } = await req.json();
27 if (userId !== req.user.id) {
28 return NextResponse.json(
29 { error: "Unauthorized" },
30 { status: 401 },
31 );
32 }
33 const stream = await generateChat(messages);
SebastionbotCritical

Missing authorization check allows user impersonation. Add a user ID validation before processing requests.

CWE-862 · Missing Authorization View details
Product surfaces

Built for review workflows, not another dashboard

Security context appears where developers already approve changes.

Code context

Diff-aware findings, not generic lint noise.

Sebastion reviews the changed lines in context, then posts CWE-tagged findings with fix suggestions when the patch is small and safe.

Learning loop

Teach once, reuse on future audits.

Reply @sebastionai in-thread to clarify intent or suppress noisy checks. AGENTS.md and related instruction files are reused from your base branch.

Workflow surfaces

Security in PRs first, dashboard second.

Walkthroughs and pre-merge checks land in PR/MR threads with inline findings. Pro and Team can also publish SARIF to the GitHub Security tab.

Ecosystem

No team secures AI code alone.

Sebastion plugs into the source hosts, AI tools, and frameworks your team already ships with, then applies framework-aware checks across the whole stack.

Source hosts
AI coding tools
Frameworks
  • GitHub
  • GitLabAzure DevOps
  • BitbucketClaudeOpenAI
  • CodexGitHub CopilotCursorJavaScript
  • TypeScriptPythonGoRustNext.js
Chat with the bot. Teach it once.

Reply on a finding. It listens, answers, and remembers

Reply to any inline finding with @sebastionai and the bot responds in the same thread — it answers your question, suppresses the rule on that file, or both. The next audit honours what you taught it.

In a PR thread, reply on any Sebastion finding…
@sebastionai help
@sebastionai ignore                            # suppress this rule on this file
@sebastionai suppress legacy code, rewriting   # …with an optional reason
@sebastionai mute training data not real
@sebastionai why is this exploitable?          # Pro+ Q&A — answers in-thread
Pricing

Pick a tier, not a model.

Free for public repos. Pro is $19/mo for one developer. Team is pay-as-you-go with credit packs, with unlimited users and repos.

Free
$0forever

For solo developers and OSS maintainers shipping in public.

  • Public repos only
  • Walkthrough + pre-merge checks on every PR
  • Inline security review with CWE-tagged findings
  • OSV.dev CVE detection + secret scanning
  • Up to 50 PR audits / repo / month
Try for free

Pro
$19/ month

For 1 developer working in private repos.

  • Private repos
  • Autofix PR drafts on critical findings
  • Higher-reasoning frontier model
  • Unlimited audits
  • Inline SARIF in GitHub Security tab
Try for free

Open source

Trusted OSS projects where Sebastion is already shipping

Merged pull requests from Sebastion across widely used open-source repos.

Compared to

Where Sebastion fits among the AI tools you already use.

Most AI-for-code tools help you write code faster. Sebastion is the counterweight: an autonomous reviewer that reads every PR and flags exploitable bugs before they ship.

Catch security bugs before merge

Open Connect, choose your source host, and review your next pull or merge request in under a minute.

  • GitHub + GitLab
  • No credit card