How it works

Zero to security coverage on every PR in three steps

Install once. No CI pipeline changes, no workflow YAML to maintain. Every pull request gets scanned automatically from that point forward.

Connect your repository

Install the Gritcadence GitHub App from the marketplace. Select the repositories you want scanned — you can add more later. The entire setup takes under 5 minutes.

Gritcadence requests the minimum permissions needed: read access to code and write access to pull request comments. No access to your build secrets, deployment keys, or repository settings.

GitHub App install

✓ App installed for org: acme-corp

✓ 4 repositories selected

→ First scan queued...

Rules run on every PR

Every time a pull request is opened or updated, Gritcadence scans the changed code automatically. No manual trigger. No CI pipeline change required.

Scans cover 500+ built-in rules across Python, JavaScript/TypeScript, Go, Java, Ruby, and Rust — plus any custom YAML rules you've authored. Rules run against changed files only, not the full codebase, so scan times stay under a few seconds for typical PRs. Each finding includes a CWE ID, OWASP category, confidence level, and a suggested fix pattern.

scan in progress · PR #237

scanning: src/api/handlers.py (431 lines)

rules: 512 built-in + 3 custom

● GRCD-0081 (HIGH) · line 118

● GRCD-0204 (MED) · line 55

✓ scan complete · 1.1s

Findings appear inline in your PR

Every finding becomes an inline PR review comment posted on the exact line where the issue was detected. Your reviewers see it in context — they don't have to leave GitHub, open another tool, or look up a finding ID.

Each comment includes the rule ID, severity, a plain-English explanation, and a suggested fix pattern. If a reviewer disagrees with a finding, they can suppress it inline with a justification — building an auditable record without leaving the review flow.

Common questions

Does it work with monorepos?

Yes. Gritcadence handles monorepos well. You can configure which subdirectories to scan, which to ignore, and apply different rule sets per sub-project using the .gritcadence.yaml config file in your repo root.

How many repos per team?

Starter covers up to 3 repositories. Pro covers up to 25. Team covers unlimited repositories with a flat monthly price. No per-repository add-on fees on any plan.

Can I write my own rules?

Yes, on Pro and Team plans. Rules are written in YAML using Gritcadence's rule DSL. You can define pattern-matching logic, taint sources and sinks, and attach custom severity and CWE metadata. The rule test harness lets you validate rules against test fixtures before deploying.

What languages are supported?

Python, JavaScript, TypeScript, Go, Java, Ruby, and Rust are supported with built-in rule libraries. Framework-specific rules exist for Django, Flask, Express, Spring, and Rails. Language support is expanding — see the Rule Library for current coverage.

Is it a GitHub Action or a GitHub App?

It's a GitHub App — not a GitHub Action. That means no changes to your CI pipeline, no workflow YAML to maintain, and scans happen independently of your CI run time. This is intentional: security scanning shouldn't block your CI pipeline or depend on it completing first.

Ready to connect your first repo?

Starter is free — up to 3 repos, 500+ built-in rules, no credit card required. First scan in under 5 minutes.

Request access Explore features