Show HN: Zenveil-Security scanning for AI-generated code ZenVeil, a new security scanning tool, launches to detect vulnerabilities specific to AI-generated code from tools like GitHub Copilot, Cursor, and Claude Code. The tool scans repos in under 30 seconds, opens auto-fix PRs, and targets issues such as hardcoded secrets, missing auth middleware, and dependency confusion that traditional scanners miss. AI-native DevSecOps · pip install zenveil AI writes your code. ZenVeil secures it. Copilot autocompletes hardcoded secrets. Cursor's multi-file edits leave inconsistent auth checks. Claude Code's long sessions pull outdated, vulnerable dependencies. ZenVeil catches what's specific to each in under 30 seconds and opens the fix as a GitHub PR. No signup for public repos • Read-only • Code never stored • Results in seconds zenveil — ai-native security scan ~ $ zenveil scan github myorg/payments-api ✓ Scan complete — 4 findings across 3 scanners $ zenveil fix ZV-A1B2C3 --auto-pr --repo myorg/payments-api ✓ Opened PR 47: github.com/myorg/payments-api/pull/47 Rotated key, purged from history, added to .gitignore Findings 4 critical caught Time to fix PR opened · 12s Scan speed 47 files · 22s Built for teams using AI coding tools GitHub Copilot Cursor Claude Tabnine Python Node.js Go Rust Ruby OWASP Top 10 CVE Database 200+ secret patterns By the numbers Security that moves at dev speed. +27% YoY 83% of devs use AI coding tools GitHub Octoverse 2024 14 findings avg per repo scan secrets · CVEs · OWASP −90% vs. SAST < 30 seconds full scan time CLI, CI/CD, or browser auto-PR 1 command auto-fix & open GitHub PR no manual triage Internal benchmark, not yet independently verified — largest repo tested so far: ~48,000 files, full scan under 8 minutes. Positioning Where your security stack stops looking. Your stack was built for code humans wrote. AI generates the same bug classes — hardcoded secrets, missing auth middleware, tokens in localStorage — at higher frequency, in places existing tools weren't tuned to look. Capability GitHub Actions Snyk / Semgrep Claude / ChatGPT Review ZenVeil Known CVE & dependency vulnerabilities Hardcoded API keys, JWT secrets, AWS credentials in source Sensitive routes without authorization middleware Dependency confusion risk in package manifests Auth tokens written to browser storage localStorage Missing rate limits or verbose error responses on APIs Known CVE & dependency vulnerabilities GitHub Actions Snyk / Semgrep Claude / ChatGPT Review ZenVeil Mature scanners own this. ZenVeil intentionally does not — keep yours. Hardcoded API keys, JWT secrets, AWS credentials in source GitHub Actions Snyk / Semgrep Claude / ChatGPT Review ZenVeil Models commonly inline placeholder-looking secrets that are real. ZenVeil ships rule families tuned for this pattern. Sensitive routes without authorization middleware GitHub Actions Snyk / Semgrep Claude / ChatGPT Review ZenVeil Generators forget auth middleware on routes that handle user-scoped data. Detected by static analysis of route handlers. Dependency confusion risk in package manifests GitHub Actions Snyk / Semgrep Claude / ChatGPT Review ZenVeil AI-generated package.json files commonly mix scoped and unscoped names in ways an attacker can hijack. Auth tokens written to browser storage localStorage GitHub Actions Snyk / Semgrep Claude / ChatGPT Review ZenVeil AI defaults to localStorage for tokens — a known XSS exfiltration vector. ZenVeil flags this pattern explicitly. Missing rate limits or verbose error responses on APIs GitHub Actions Snyk / Semgrep Claude / ChatGPT Review ZenVeil Generated endpoints often return stack traces and lack rate limiting. ZenVeil probes for both. Designed for this Partial Not designed for this Out of scope — use your existing tool On the roadmap Hallucinated package detection IaC misconfiguration scanning Prompt-injection surface analysis We ship what the scanner actually detects today. These are in active development. GitHub Actions, Snyk, Semgrep, and general-purpose AI reviewers are excellent at what they were built for. We run several of them on our own code. ZenVeil isn't a replacement. It's the layer that catches what those tools were never designed to detect — the failure modes that show up when a model writes the code, not a person. Most teams keep their existing stack and add ZenVeil for the blind spots. Four example findings · linked to actual ZenVeil scanner rules What ZenVeil Actually Finds Explore real security findings from AI-generated code. See how ZenVeil detects, explains, and helps fix issues before they reach production. Hardcoded secrets Missing auth checks Source map exposure Dependency confusion Token storage risks Read-only analysis · Code never stored · Findings verified with file-level evidence 1 Critical 2 High 2 Medium Findings · 5 examples CRITICAL Hardcoded API key assignment EXAMPLE FINDING Live-shaped Stripe key in a generated test fixture tests/fixtures/stripe-customer.json : 1 Fixture committed with a token shaped like sk live …. If real, it is now in git history and may need rotation. Why AI produces this: Models often pad fixtures with realistic-looking values rather than placeholders. The prefix shape matches a real Stripe secret key. ZenVeil's suggested fix — opens as a PR - "api key": "sk live 4eC39HqLyjWDarjtT1zdp7dc" + "api key": "<<-STRIPE TEST KEY- " // Resolved from env at test setup How the scan works Read-only analysis Repos are cloned to an ephemeral sandbox. No write access. No persistence. Code never stored Source is deleted after the scan completes. Never used for training. Verifiable findings Each finding includes a file path and line you can confirm against the diff. Built for AI-generated code Detection rules are tuned for the failure modes AI produces at higher frequency. 60 seconds · Sandboxed · First finding free, no signup required Your code is never stored and never used for training. Enterprise trust Is your code safe with us? Here's the answer. You shouldn't need to talk to sales to find out. Here's exactly what happens to your source when ZenVeil scans it. Your GitHub repo read-only OAuth scope Ephemeral scan container spun up per scan, destroyed after Findings, in memory never written to disk PR opened on your repo source code never leaves GitHub SOC 2 Type II in progress In progress GDPR ready Data processing compliant Verified Code never stored Architecture guarantee Enforced Read-only tokens GitHub OAuth scoped Enforced DPA available On request for Enterprise Available security.txt RFC 9116 compliant Published Built on The AI agent trust layer Every agent writes code differently. Every risk, covered. A generic "we support AI tools" line is an afterthought. Each agent below has a distinct failure pattern — ZenVeil's rule engine is tuned to catch it specifically. GitHub Copilot Highest rate of hardcoded secrets in autocomplete suggestions — caught before the commit, not after. Cursor Multi-file agent edits frequently introduce inconsistent auth checks across touched routes. Claude Code Long autonomous sessions can pull outdated dependencies from training data — CVE-checked on every PR. Also covered OpenAI Codex Task-runner agents commit directly — ZenVeil gates the branch before merge, not after an incident. Gemini Cross-language projects show elevated injection risk at language boundaries — shell, SQL, and template contexts. Background CI agents Unattended by design — ZenVeil is the only reviewer some of these commits will ever get. How it works From pip install to merged PR Installed, scanned, explained, and fixed — in one terminal session. 01 Install No account. No config. One line. ZenVeil ships as a standard Python package — install it like anything else in your toolchain. $ pip install zenveil ✓ Installed zenveil-cli 3 free scans/hour, no signup required CI/CD Integration Drop it into any pipeline. Add ZenVeil to your GitHub Actions workflow and automatically block PRs that introduce CRITICAL or HIGH severity findings. Security gates that run in seconds, not minutes. Scans complete in under 30 seconds Blocks merges on HIGH/CRITICAL findings Auto-opens fix PRs from CI output .github/workflows/zenveil.yml Blocks merge on CRITICAL / HIGH YAML · 28 lines Capabilities Security built for AI-assisted development AI coding tools write fast and miss security basics. ZenVeil closes the gap — from secret detection to automated PR remediation, across your entire stack. PR 47 opened · payments-api − AWS KEY = "AKIA…" + AWS KEY = os.environ … Rotated · Purged · Merged Auto-fix Find and fix in one pull request ZenVeil opens the remediation as a reviewable GitHub PR. From finding to merge, in your existing workflow — no dashboard to babysit, no findings to triage by hand. 3 secrets found SECRETS FOUND · 3 AWS ACCESS KEY AWS STRIPE SECRET KEY Stripe GITHUB TOKEN GitHub 200+ patterns Secret detection AWS keys, GitHub tokens, JWT secrets, and passwords caught before they reach production. Regex + entropy analysis for near-zero false negatives. osv.dev lookup · 3 matches CVE lookups Supply chain security Floating dependency versions, missing lockfiles, and CVE lookups via OSV.dev. Know exactly what you're shipping before it ships. explain · suggest fix EXPLAIN · SUGGEST FIX The localStorage.setItem 'token', … pattern is an XSS exfiltration vector. Suggested fix: httpOnly cookie via server proxy. Deterministic + LLM Built for AI-generated code Deterministic detection, LLM-assisted remediation. Our rule engine targets patterns AI generates at higher frequency — over-permissive configs, missing input validation, tokens in localStorage. Early Access Feedback Real devs. Real findings. What engineers say after running ZenVeil on their first codebase — from indie makers to security teams shipping into regulated environments. “ZenVeil caught a hardcoded Stripe secret sitting in our prod codebase for 6 months. Our pentester missed it. One command, 18 seconds — found, fixed, PR opened. It's now step one of our onboarding checklist.” AM Aisha M. Backend Engineer “I expected 400 noisy false positives. Instead I got 7 real findings with clear explanations and an auto-PR opened for 4 of them. That's genuinely impressive for a CLI tool.” JP Jordan P. Senior Engineer “Before every investor demo I run ZenVeil. It's a ritual. The peace of mind knowing my repo is clean before due diligence is worth every penny of the subscription.” SK Sarah K. Founder, SaaS Startup “We have a full AppSec team and still run ZenVeil in CI. Fast enough not to block merges. Catches the stuff that slips through PR review — floating deps, exposed tokens, weak configs.” MC Marcus C. Security Engineer “I don't have a security background but the dashboard makes everything legible. What's critical vs what can wait is instantly clear, and the AI explanations make sense to a non-security person.” PP Priya P. Full-Stack Developer “Vibe-coded a SaaS over a weekend. Ran ZenVeil before going live — it found my Supabase service key in three different files. Fixed in 20 minutes with the patch it suggested. Would've been a disaster.” TA Tom A. Indie Maker “Integrated ZenVeil into GitHub Actions in under 10 minutes. Every PR now gets a security check automatically. Our team security awareness has gone up noticeably — people actually read the findings.” EV Elena V. Platform Engineer “The AI fix suggestions are shockingly good. It doesn't just tell you what's wrong — it generates the actual patch with context for your specific framework. Saved me a full afternoon on a single finding.” DO David O. Software Engineer “The scan results were accurate. My one note: I initially wanted more context on the OWASP mapping for each finding. The update added docs links for every result — that fixed it.” RM Ryan M. Early Access Tester “In healthtech, one exposed credential is catastrophic. ZenVeil runs nightly and is part of our SOC 2 compliance workflow. The audit logs alone justify the subscription cost.” RT Rachel T. Backend Engineer “The supply chain analysis changed how we think about dependencies entirely. Seeing which packages have unresolved CVEs with severity scores made the whole team more deliberate about what we install.” AK Alex K. Software Engineer “ZenVeil caught a hardcoded Stripe secret sitting in our prod codebase for 6 months. Our pentester missed it. One command, 18 seconds — found, fixed, PR opened. It's now step one of our onboarding checklist.” AM Aisha M. Backend Engineer “I expected 400 noisy false positives. Instead I got 7 real findings with clear explanations and an auto-PR opened for 4 of them. That's genuinely impressive for a CLI tool.” JP Jordan P. Senior Engineer “Before every investor demo I run ZenVeil. It's a ritual. The peace of mind knowing my repo is clean before due diligence is worth every penny of the subscription.” SK Sarah K. Founder, SaaS Startup “We have a full AppSec team and still run ZenVeil in CI. Fast enough not to block merges. Catches the stuff that slips through PR review — floating deps, exposed tokens, weak configs.” MC Marcus C. Security Engineer “I don't have a security background but the dashboard makes everything legible. What's critical vs what can wait is instantly clear, and the AI explanations make sense to a non-security person.” PP Priya P. Full-Stack Developer “Vibe-coded a SaaS over a weekend. Ran ZenVeil before going live — it found my Supabase service key in three different files. Fixed in 20 minutes with the patch it suggested. Would've been a disaster.” TA Tom A. Indie Maker “Integrated ZenVeil into GitHub Actions in under 10 minutes. Every PR now gets a security check automatically. Our team security awareness has gone up noticeably — people actually read the findings.” EV Elena V. Platform Engineer “The AI fix suggestions are shockingly good. It doesn't just tell you what's wrong — it generates the actual patch with context for your specific framework. Saved me a full afternoon on a single finding.” DO David O. Software Engineer “The scan results were accurate. My one note: I initially wanted more context on the OWASP mapping for each finding. The update added docs links for every result — that fixed it.” RM Ryan M. Early Access Tester “In healthtech, one exposed credential is catastrophic. ZenVeil runs nightly and is part of our SOC 2 compliance workflow. The audit logs alone justify the subscription cost.” RT Rachel T. Backend Engineer “The supply chain analysis changed how we think about dependencies entirely. Seeing which packages have unresolved CVEs with severity scores made the whole team more deliberate about what we install.” AK Alex K. Software Engineer “The supply chain analysis changed how we think about dependencies entirely. Seeing which packages have unresolved CVEs with severity scores made the whole team more deliberate about what we install.” AK Alex K. Software Engineer “In healthtech, one exposed credential is catastrophic. ZenVeil runs nightly and is part of our SOC 2 compliance workflow. The audit logs alone justify the subscription cost.” RT Rachel T. Backend Engineer “The scan results were accurate. My one note: I initially wanted more context on the OWASP mapping for each finding. The update added docs links for every result — that fixed it.” RM Ryan M. Early Access Tester “The AI fix suggestions are shockingly good. It doesn't just tell you what's wrong — it generates the actual patch with context for your specific framework. Saved me a full afternoon on a single finding.” DO David O. Software Engineer “Integrated ZenVeil into GitHub Actions in under 10 minutes. Every PR now gets a security check automatically. Our team security awareness has gone up noticeably — people actually read the findings.” EV Elena V. Platform Engineer “Vibe-coded a SaaS over a weekend. Ran ZenVeil before going live — it found my Supabase service key in three different files. Fixed in 20 minutes with the patch it suggested. Would've been a disaster.” TA Tom A. Indie Maker “I don't have a security background but the dashboard makes everything legible. What's critical vs what can wait is instantly clear, and the AI explanations make sense to a non-security person.” PP Priya P. Full-Stack Developer “We have a full AppSec team and still run ZenVeil in CI. Fast enough not to block merges. Catches the stuff that slips through PR review — floating deps, exposed tokens, weak configs.” MC Marcus C. Security Engineer “Before every investor demo I run ZenVeil. It's a ritual. The peace of mind knowing my repo is clean before due diligence is worth every penny of the subscription.” SK Sarah K. Founder, SaaS Startup “I expected 400 noisy false positives. Instead I got 7 real findings with clear explanations and an auto-PR opened for 4 of them. That's genuinely impressive for a CLI tool.” JP Jordan P. Senior Engineer “ZenVeil caught a hardcoded Stripe secret sitting in our prod codebase for 6 months. Our pentester missed it. One command, 18 seconds — found, fixed, PR opened. It's now step one of our onboarding checklist.” AM Aisha M. Backend Engineer “The supply chain analysis changed how we think about dependencies entirely. Seeing which packages have unresolved CVEs with severity scores made the whole team more deliberate about what we install.” AK Alex K. Software Engineer “In healthtech, one exposed credential is catastrophic. ZenVeil runs nightly and is part of our SOC 2 compliance workflow. The audit logs alone justify the subscription cost.” RT Rachel T. Backend Engineer “The scan results were accurate. My one note: I initially wanted more context on the OWASP mapping for each finding. The update added docs links for every result — that fixed it.” RM Ryan M. Early Access Tester “The AI fix suggestions are shockingly good. It doesn't just tell you what's wrong — it generates the actual patch with context for your specific framework. Saved me a full afternoon on a single finding.” DO David O. Software Engineer “Integrated ZenVeil into GitHub Actions in under 10 minutes. Every PR now gets a security check automatically. Our team security awareness has gone up noticeably — people actually read the findings.” EV Elena V. Platform Engineer “Vibe-coded a SaaS over a weekend. Ran ZenVeil before going live — it found my Supabase service key in three different files. Fixed in 20 minutes with the patch it suggested. Would've been a disaster.” TA Tom A. Indie Maker “I don't have a security background but the dashboard makes everything legible. What's critical vs what can wait is instantly clear, and the AI explanations make sense to a non-security person.” PP Priya P. Full-Stack Developer “We have a full AppSec team and still run ZenVeil in CI. Fast enough not to block merges. Catches the stuff that slips through PR review — floating deps, exposed tokens, weak configs.” MC Marcus C. Security Engineer “Before every investor demo I run ZenVeil. It's a ritual. The peace of mind knowing my repo is clean before due diligence is worth every penny of the subscription.” SK Sarah K. Founder, SaaS Startup “I expected 400 noisy false positives. Instead I got 7 real findings with clear explanations and an auto-PR opened for 4 of them. That's genuinely impressive for a CLI tool.” JP Jordan P. Senior Engineer “ZenVeil caught a hardcoded Stripe secret sitting in our prod codebase for 6 months. Our pentester missed it. One command, 18 seconds — found, fixed, PR opened. It's now step one of our onboarding checklist.” AM Aisha M. Backend Engineer AM JP SK MC PP TA EV Early Access — free to try Join them. Ship securely. Scan your first repo in under 30 seconds — no config, no credit card, no excuses. ✓ Free forever plan ✓ No credit card ✓ pip install zenveil ZenVeil Simple pricing Start free. Upgrade when you need it. One finding on a free scan can save you from a breach that costs thousands. Enterprise plans include SSO, audit log, and private deployment. See a real finding /demo Free $0 /forever For developers who want to check a repo now. Scan a repo scanner 3 public repo scans / hour All finding categories Severity-ranked results Secrets, deps, CI/CD, headers Email report Private repositories AI explain & fix Auto-PR remediation Scan history CI/CD webhook Pro $19 /per month For developers who ship fast and can't afford breaches. Get Pro /dashboard?upgrade=pro Unlimited scans Public & private repos All finding categories AI explain — why it's dangerous AI fix — generated patch Auto-PR remediation Scan history 90 days Email alerts on new findings Team seats PDF compliance reports CI/CD webhook Team $59 /per month For engineering teams that need coverage across every repo. Contact us /cdn-cgi/l/email-protection c4aca1a8a8ab84bea1aab2a1ada8eaa0a1b2fbb7b1a6aea1a7b0f99ea1aa92a1ada8e490a1a5a9e494a8a5aa Everything in Pro Up to 5 team members Unlimited private repos CI/CD webhook integration PDF compliance reports Slack & email alerts Priority support Custom scan policies Enterprise Custom /talk to us For platform and security teams shipping under compliance. Contact sales /cdn-cgi/l/email-protection 88e0ede4e4e7c8f2ede6feede1e4a6ecedfeb7fbfdeae2edebfcb5d2ede6deede1e4a8cde6fcedfaf8fae1fbed Everything in Team Unlimited seats SSO / SAML Audit log & role-based access Private / on-prem deployment Custom detection policies DPA & subprocessor list Dedicated support All plans include a 7-day free trial on paid features. No credit card required for Free. Common questions Everything you need to know Quick answers to the questions developers ask before they trust a security tool with their code. Does ZenVeil upload my source code? not stored on our servers after the scan completes. See our Security & Privacy /security page for full details. How is ZenVeil different from Snyk, Semgrep, or GitGuardian? What languages and ecosystems does ZenVeil support? Can ZenVeil scan private repositories? What happens when ZenVeil finds a vulnerability? Does ZenVeil scan test files? Is there a free tier? What are the limits? Why do AI features require a paid plan? What AI models power ZenVeil? Is ZenVeil production-ready? Still have questions? Our team responds within 24 hours. We read every message and use feedback to improve the product. email protected