Runs on your runner.

The Action executes on your GitHub-hosted or self-hosted runner. Your code stays in your CI environment. Snitch's servers see only the license check and per-scan metadata.

Free with GitHub Models, BYO key when you want more.

Default path uses the runner's GITHUB_TOKEN with a permissions: models: read grant — every GitHub user gets a free GitHub Models inference quota. Need Sonnet, Opus, Gemini, or higher throughput? Add a single repo secret for OpenRouter, Anthropic, OpenAI, Google, or Copilot and the Action picks it up automatically.

SARIF + sticky comment.

Findings post inline in the PR with file, line, severity, fix. SARIF uploads to GitHub Code Scanning so it lands in the Security tab next to CodeQL and Dependabot output.

Subscribe. Pick a tier below. Stripe checkout completes, your dashboard generates a Snitch GitHub Action license key (separate from any CLI key).

Add the workflow. Copy the snippet from your dashboard into .github/workflows/snitch.yml. The only required repo secret is SNITCH_LICENSE_KEY; the default uses free GitHub Models. Add an AI provider key only if you want a specific model or higher throughput.

Open a PR. Snitch comments with findings, uploads SARIF, and (if configured) sets the merge gate.

Injection and data handling

SQL injection, XSS, SSRF, path traversal, unsafe deserialization, command injection through shell-outs with user input.

Authentication and session

Broken auth flows, weak JWT validation, OAuth misconfiguration, session fixation, missing CSRF protection.

Secrets in PRs

API keys, .env files, AWS / GCP tokens, weak key generation accidentally landing in a diff.

AI-specific risks

Prompt injection, unsanitized LLM output, tool-call abuse, context leakage across tenants.

Supply chain + dependency CVEs

Dependency confusion, unsafe post-install scripts, typosquatted packages, lockfile drift, unpinned action versions. Plus an OSV.dev pass on every lockfile in the diff — known CVEs across npm, PyPI, Go, Rust, RubyGems, Maven, Packagist, and NuGet come back grouped per package with severity and an upgrade target.

Access control

IDOR, missing authorization checks, privilege escalation paths, RLS bypass.

Is the GitHub Action included with the Snitch CLI subscription?

No. They are separate subscriptions. If you want both (local CLI scans on your device AND PR scans in CI), subscribe to each independently. Pricing is the same per tier.

Do I need an AI API key?

No. Out of the box the Action uses the runner's GITHUB_TOKEN to call free GitHub Models (~50 requests/day per repo for free GitHub accounts; higher with Copilot or Enterprise). Add an OpenRouter / Anthropic / OpenAI / Google key only when you want a specific model or higher throughput.

Where does the AI call run?

From your runner to whichever provider you've selected. Default provider is GitHub Models (Microsoft Azure-hosted). Override with OpenRouter, Anthropic, OpenAI, Google, or a Copilot-subscription token. Snitch's own servers see only the license check and per-scan metadata, not your source.

What does Snitch see?

The license validation, the methodology download, and per-scan counters (file count, finding counts, duration). We do NOT collect or store repo name, PR number, branch, or anything else identifying. Source code does NOT touch Snitch infrastructure. The provider you pick (GitHub Models, OpenRouter, etc.) does see the prompt — that's an unavoidable trade for any cloud-based AI scan.

Can I block merges on findings?

Yes. The Action exits non-zero when findings at or above your `--fail-on` severity are detected, which fails the check, which blocks merge if you have branch protection on.

Does it work with self-hosted runners?

Yes. The Action runs the Snitch CLI binary on whatever runner GitHub assigns it. Self-hosted, GitHub-hosted, or matrix combinations all work.

Cancel any time?

Yes. Manage or cancel from your dashboard. Cancellations take effect at the end of the billing period; you keep access until then.