carapace

carapace

AI-powered code security for every PR

Get Started

Install the app, scan your code

Add to your GitHub org or run the CLI locally

$npx carapace scan . --full

or add the GitHub App for automatic PR reviews

By the numbers

100+
Rules
<30s
Avg scan
7+
Languages

How it works

01

Install in 60 seconds

Add the Carapace GitHub App to your org. Select repos. No config files needed.

02

AI reviews every PR

Push code. Carapace scans every changed line for security holes, bugs, and code smells.

03

Ship with confidence

Inline comments with fix suggestions. Block merges on critical issues. One-click fixes.

What it catches

100+ rules across security, bugs, and code quality

Security

SQL injection, XSS, SSRF, path traversal, hardcoded secrets, broken auth patterns.

Bugs

Off-by-one errors, null dereferences, race conditions, unreachable code, infinite loops.

Code Quality

Dead code, magic numbers, excessive nesting, empty catch blocks, unsafe casts.

Performance

N+1 queries, unnecessary allocations, missing memoization, bundle size issues.

auth/session.ts3 findings
24- const user = await db.query(`SELECT * FROM users WHERE id = ${id}`)
25- if (user) res.json(user)
24+ const user = await db.query(`SELECT * FROM users WHERE id = $1`, [id])
25+ if (!user) return res.status(404).json({ error: "Not found" })
CRITICAL

SQL injection via string interpolation. Use parameterized queries.

Stop shipping vulnerabilities

Free for open source. No credit card required.