Your code never reaches Snitch's servers.

The AI call is a subprocess to claude, codex, or gemini on your machine, or a direct call to OpenRouter with your own key. Our servers only see the license check and per-scan counters (file count, finding counts, duration). No repo or PR identity, no source.

Runs with the AI you already pay for.

No second subscription. Snitch uses your existing Claude Code, Codex, or Gemini login. If you want a pooled option, point it at OpenRouter and pay by the token.

72 categories, always current.

The methodology downloads per scan, so new categories land the day we publish them with no CLI update on your side. Pro and Team plans unlock the full 71; Enterprise adds custom rule sets.

Install once. Grab the binary from your dashboard or install it with Homebrew. One signed executable on your PATH, no Node runtime required.

Authenticate. Paste your license key. Snitch validates it against our API, saves it to ~/.snitch/config.json with 0600 permissions, and never asks again.

Scan. Get a markdown report and a SARIF 2.1.0 file for CI. Changed files by default, full repo on demand, or a single PR by number.

Injection and data handling

SQL injection, XSS, SSRF, path traversal, unsafe deserialization, command injection through shelling out with user input.

Authentication and session

Broken auth flows, weak JWT validation, OAuth misconfiguration, session fixation, insecure cookie flags, missing CSRF protection.

Secrets and credentials

Hardcoded API keys, .env committed to git, AWS and GCP tokens in code, weak key generation, credentials in logs.

AI-specific risks

Prompt injection, unsanitized LLM output rendered as HTML, tool-call abuse, context leakage across tenants, model jailbreak vectors.

Supply chain + dependency CVEs

Dependency confusion, unsafe post-install scripts, typosquatted packages, lockfile drift, unpinned action versions. Plus a deterministic OSV.dev pass on every pinned version across npm, PyPI, Go, Rust, RubyGems, Maven, Packagist, and NuGet — known CVEs come back grouped per package with severity and an upgrade target.

Access control

IDOR, missing authorization checks, privilege escalation paths, row-level security bypasses, admin endpoints reachable from user tokens.

Cryptography

Weak hashing, predictable IVs, custom crypto, disabled TLS verification, insecure random for security-sensitive values.

Platform-specific

Cloudflare Workers misconfig, Next.js server actions leaking secrets, Supabase RLS holes, React Native bundles shipping keys.

Solo developers shipping fast.

One-person SaaS founders and indie hackers who can't schedule a pentest before every launch. Use Snitch as a second pair of eyes before merging to main.

Engineering teams.

Teams of 2 to 10 that want a consistent floor on review quality. Drop Snitch into CI or run it locally before opening a PR.

Security-curious juniors.

Developers learning what to look for. Every finding names the category, the file and line, and a suggested fix, so you pick up patterns over time.

Does my code get sent to Snitch's servers?

No. The only thing that hits our API is the license check and per-scan counters (file count, finding counts, duration). We do NOT collect or store the repo name, PR number, branch, or anything else identifying. The CLI processes your source on your device; if you're using a hosted AI provider, your code chunks go to that provider during inference (your key, your account).

Does it work without an internet connection?

Partially. The first scan in a session fetches the methodology from our API, then the AI call depends on your provider. OpenRouter and hosted Claude Code need the internet. A fully local model via a custom AI CLI does not.

What AI providers are supported?

Claude Code, OpenAI Codex, Gemini CLI, or direct OpenRouter with your own API key. Bring-your-own AI CLI is also supported via the LOCAL_AI_CMD environment variable.

How do I run it in CI?

Set SNITCH_LICENSE_KEY as a secret, add a step that installs the binary, then run snitch scan. SARIF output uploads cleanly to GitHub Code Scanning.

Can I cancel any time?

Yes. Manage or cancel your subscription from your dashboard. Cancellations take effect at the end of the current billing period; you keep access until then.

Is this a replacement for a penetration test?

No. Snitch augments your review process. It catches the common misses automatically. A human expert review still has its place for novel attack surface, business logic, and threat modeling.