Private alpha — early feedback in flight

Attestely vouches for what your AI shipped.

Indie-friendly security audits, built for the post-Cursor era. EU-hosted. CRA-aligned. From €19/month.

View pricing

Open-source CLI
Hosted in France
GDPR-ready

github.com/me/saas — PR #142

Attestely — security review

posted 2 seconds ago · updated on push

Critical gitleaks · API key in src/lib/env.example.ts:14

Stripe live secret key matches the leaked-token format. Suggested fix: move to .env and add to .gitignore.

High semgrep · Tainted SQL in api/search.ts:42

User input is interpolated into a Postgres query. Use parameterised $1 placeholders.

+ 2 medium · 4 low · 1 info — collapsed below

The problem

AI coding tools ship fast. They don't audit.

Cursor and Copilot ship code in seconds. Subtle security issues come along for the ride. Your linter won't catch these. Your IDE won't either.

Secrets in the diff

API keys pasted into sample code, .env files committed by mistake — gitleaks-grade issues your AI happily reproduces.

Tainted SQL & input handling

String interpolation in queries, missing input validation, prototype pollution patterns silently copied from training data.

Vulnerable dependency pins

Package versions suggested by autocomplete that match a CVE published last week — flagged by Trivy, ignored everywhere else.

Unsafe defaults

CORS wide open, missing auth checks on admin routes, generic JWT secrets baked into config — the boilerplate that 'works on my machine'.

How it works

Three things Attestely does on every PR.

Scan, attest, fix. No new lint to learn, no second dashboard to babysit.

Scan

Trivy, Semgrep, gitleaks orchestrated for you — locally via the open-source CLI or remotely on every pull request. One workflow file, no glue code.

Attest

Findings deduplicated by signature, ranked by severity, posted as a single PR review comment that updates as you push. Resolved issues auto-close.

Fix

Each finding gets an LLM-written explanation in your code's context, plus a suggested fix you can copy or apply with one click.

Three steps

From sign-up to first review in under five minutes.

No migration. No call. No card required.

1

Install the GitHub App

30 seconds. Minimal permissions: read code, read PRs, write commit statuses. You pick the repos.
2

Add the workflow file

We open the PR for you with the workflow pre-configured, or you add it yourself in a minute.
3

Open a pull request

The scan runs, the review lands in PR comments. No action needed — security becomes part of your usual flow.

Pricing

Simple. Indie-priced. Cancel anytime.

Free forever for hobby projects. Solo at €19/month for serious indie work. Studio and Team when you grow.

Free

Forever free for hobby projects

€0 forever

1 connected repo
5 PR scans / month
Top-10 findings analyzed per scan

Start free

Solo

For Léa: serious indie SaaS work

€19 /mo

Up to 5 connected repos
150 PR scans / month
Full LLM analysis on every finding

Start Solo

Pro

For multi-project indies

€39 /mo

Up to 10 connected repos
500 PR scans / month
Team-shared dismiss rules

Start Pro

See the full pricing →

Why trust Attestely

EU-native by design. Honest by default.

Hosted in Paris

Primary data center in France (Supabase EU). Edge workers on Cloudflare's EU network. No US data transfer in the default configuration.

GDPR-native

Built around GDPR from day one. CRA-aligned. Cookieless analytics (Plausible). No tracking pixels, no ad networks.

AGPLv3 CLI

The scanner CLI is open-source on GitHub. Run it locally for free, audit the code, fork it. The backend pipeline remains proprietary.

No training on your code

We send snippets to the LLM provider (Anthropic) with the no-training data policy. Raw blobs deleted after 30 days.

Your next pull request can review itself.

Talk to the founder