Introduction
Secbez documentation — application security scanning combining a deep code graph with multi-agent reasoning.
Secbez is an application security scanner for modern codebases. It finds real, exploitable vulnerabilities — injection, XSS, broken access control, IDOR, business-logic flaws, hardcoded secrets, transaction-integrity bugs — and surfaces them with the evidence a developer actually needs to fix the issue.
Unlike single-pass static analysis tools that flood you with pattern matches, Secbez treats every candidate as a hypothesis that has to be defended with concrete evidence. Findings that can't defend themselves are dropped or flagged for review — never shipped as confirmed.
How it works
Connect your repository Install the Secbez GitHub App and select the
repositories you want to protect. Secbez can also run as a self-hosted deployment for enterprise customers.
Your code is parsed into a deep graph Our analysis engine reads your
repository and builds a sophisticated code graph that captures structure, control flow, and dataflow. The graph is rich enough to reason about routes, authorization, tenant scoping, and how data moves end-to-end. Each scan runs against its own isolated snapshot.
Specialized AI reasoning explores the graph Specialized agents reason
over the graph against a strict evidence contract — they can only confirm a finding when concrete supporting evidence is present. When evidence is incomplete, the result is "inconclusive," not "vulnerable."
Findings are validated before they ship Every confirmed finding goes
through additional validation. Anything that can't survive scrutiny is filtered out or routed to needs-review.
Policy and publish Surviving findings are deduplicated against a
per-repo baseline, evaluated against your policy, and published to GitHub as Check Run annotations and to the Secbez dashboard.
What Secbez detects
Secbez covers the high-impact classes of application vulnerabilities:
- Injection — SQLi, command injection, template injection, SSTI, deserialization
- Cross-site scripting (XSS) — reflected, stored, DOM-based, framework-specific (React
dangerouslySetInnerHTML, Vuev-html, etc.) - Broken access control — missing authorization, missing tenant scoping, role checks bypassed at the route level
- IDOR / BOLA — user-controlled IDs reaching DB sinks without an ownership predicate
- Authentication and protocol issues — JWT misuse, OAuth/SSO callback flaws, session management, missing auth on sensitive endpoints
- Business logic and transaction integrity — race conditions, TOCTOU, double-spend, workflow bypass, state manipulation
- Server-side request forgery (SSRF)
- Secrets — API keys, tokens, private keys, and credentials in source code
- Cryptographic misuse — weak algorithms, ECB mode, hardcoded IVs, broken randomness
For the full catalog see Detection Categories.
Key capabilities
Deep code graph
A sophisticated graph of your codebase that captures structure, control flow, and dataflow. Findings are backed by cross-file evidence, not single-line pattern matches.
Evidence-anchored findings
Every finding is anchored to a code location with concrete evidence. Inconclusive verdicts are routed to needs-review rather than guessed.
Low false-positive rate
Multi-stage validation filters speculative findings before they reach you.
GitHub-native
Findings appear as GitHub Check Run annotations on the relevant lines of the PR. No context switching.
Fix guidance
Each finding ships with an explanation grounded in the evidence and, when safe, a verified patch.
Enterprise Deep Scan
Self-hosted, no caps, BYO-GPU, BYO-model, BYO-policy. Run unlimited candidates, unlimited graph depth, and your own open-source LLMs.