Snitch Docs

FAQ

Common questions about Snitch.

Which one should I buy?

If you mostly want a one-time security check on a codebase you own, the Plugin. If you want ongoing scans on your device with the latest methodology, the CLI. If you want every pull request scanned automatically in CI, the GitHub Action.

They are independent. Pick one or any combination.

Do I need an AI API key?

  • Plugin: no. It runs inside the AI tool you already use.
  • CLI: shells out to your locally-installed Claude / Codex / Gemini, OR accepts an OpenRouter key.
  • GitHub Action: defaults to free GitHub Models inference via the workflow's GITHUB_TOKEN. Optionally accepts any provider key for higher rate limits.

Does my source code get sent to Snitch?

No. Snitch's servers never receive your code, and we don't store anything about it. The license check, the methodology download, and per-scan metadata (file count, finding counts, duration) go to snitchplugin.com. Snitch processes your code locally (Plugin runs inside your AI tool, CLI runs on your device, Action runs in your runner). The AI provider you choose does see the prompts during inference, the same way it sees any other prompt you send it.

Is this a replacement for a penetration test?

No. Snitch is a code-reading reviewer that catches the common misses fast. Pen tests, threat modeling, and human security review remain important for novel attack surface and business logic.

Can I cancel any time?

Yes. CLI and Action subscriptions cancel from your dashboard via the Stripe portal. You keep access until the end of the current billing period. The Plugin is one-time so there's nothing to cancel.

What does the methodology cover?

72 categories spanning injection, auth, secrets, supply chain, AI-specific risks (prompt injection, agentic loops), access control, crypto, and platform-specific patterns (Cloudflare Workers, Next.js, Supabase, React Native, Stripe, etc.). New categories ship to CLI and Action customers without any update on their part. Plugin customers get the methodology baked in at purchase time.

What if my provider rate-limits me?

The Action retries transient errors (429, 5xx, network) with exponential backoff (250ms, 1s, 4s) and continues. Persistent failures fail the scan loudly with a red commit check rather than silently posting a "0 findings" comment.

Where do I get help?

Email eric.waters@snitchplugin.com. Response within two business days.

Snitch security & threat model

What we collect, what we don't, what happens if our publish credentials get compromised, and what defenses are in place.

On this page

Which one should I buy?Do I need an AI API key?Does my source code get sent to Snitch?Is this a replacement for a penetration test?Can I cancel any time?What does the methodology cover?What if my provider rate-limits me?Where do I get help?
Snitch uses AI to generate findings. AI can make mistakes, miss issues, or flag false positives, even with guardrails. Snitch is not responsible for actions taken based on AI output. Read the full AI disclaimer