Find Vulnerabilities.
Fix Them Instantly.
Paste your code and get security issues detected with an AI-powered fix in seconds. No setup, no noise - just results.
Paste a GitHub repo URL and scan instantly - no sign-in required
Public repositories only. No sign-in required.
Push a PR. Vexlit Fixes It.
Push a PR. Vexlit finds and fixes vulnerabilities automatically.
Create PR
Open a pull request and Vexlit starts scanning automatically.
Scan
SAST engine detects vulnerabilities in your code.
Auto-Fix
AI fixes vulnerabilities and commits to your PR.
Merge
Review and merge with confidence.
AI-generated code is increasing security risks.
45% of AI-generated code contains security vulnerabilities (Veracode 2025)
Developers rarely have time to review every line for security
Traditional SAST tools produce too many false positives
VEXLIT solves this.
Real-time vulnerability detection as you code
AI-generated code verification with instant scanning
Developer-first DevSecOps - no noise, just results
98%
Detection Accuracy
~2%
False Positive Rate
34
Languages
Paste Code. Find Vulnerabilities. Get a Fix.
Try an example or paste your own code - VEXLIT detects security issues and suggests a fix instantly.
Only a portion of code is analyzed in demo mode. Sign in for full analysis.
See it in action
VEXLIT scans your repository and reviews every pull request - catching vulnerabilities before they reach production.
- Full repository scans from the dashboard
- Inline PR reviews with CWE details and fix suggestions
- Auto-blocks PRs with critical vulnerabilities
How It Works
Three simple steps to secure your code.
Connect Your Repo
One click to link your GitHub repository. Public or private - scanning starts immediately.
Get Results in Seconds
6,200+ security rules analyze your code instantly. See exactly which lines are vulnerable and why.
Fix with One Click
AI generates a fix for each vulnerability. Copy-paste the suggestion and ship secure code.
Why VEXLIT?
Stop missing vulnerabilities. Stop wasting time on false positives. Start shipping secure code.
Fewer False Positives
AST-based analysis with taint tracking from source to sink. Sanitizer-aware detection means findings are real and actionable.
Catch What Others Miss
6,200+ rules with interprocedural taint analysis, cross-file tracking, and 55+ sanitizer patterns. OWASP Top 10 fully covered.
Scan in One Click
Connect your GitHub repo and get results in seconds. SARIF output appears directly in your Security tab.
AI That Explains & Fixes
Don't just find vulnerabilities - understand them. AI explains each issue clearly and generates a fix you can copy-paste.
Track Your Progress
See your security posture improve over time with visual trend charts. Know exactly where you stand after every commit.
Free to Get Started
No credit card required. CLI is open-source and free. Use locally, in CI/CD, or through the web dashboard.
Beyond Pattern Matching
Most SAST tools stop at regex. VEXLIT goes deeper with multi-phase analysis that understands your code's actual behavior.
Reachability Analysis
Eliminates false positives from dead code. If a branch can never execute (e.g., if (false)), VEXLIT knows and won't flag it.
Points-to Analysis
Tracks data through collections, maps, and method returns. Knows that map.get("safe_key") is different from map.get(userInput).
Constant Propagation
Traces hardcoded values across assignments and function calls. Won't flag exec("ls") as command injection because the argument is a literal.
Software Composition Analysis
Scans package.json, yarn.lock, and pnpm-lock.yaml for known vulnerable dependencies. Suggests upgrade paths with minimal breaking changes.
Security Rules
Comprehensive coverage across injection, secrets, crypto, and more.
Hardcoded Secrets
VEXLIT-001
SQL Injection
VEXLIT-002
XSS
VEXLIT-003
Prototype Pollution
VEXLIT-010
NoSQL Injection
VEXLIT-011
Path Traversal
VEXLIT-021
Command Injection
VEXLIT-022
JWT Hardcoded Secret
VEXLIT-007
SSRF
VEXLIT-012
Timing Attack
VEXLIT-018
Unsafe Deserialization
VEXLIT-020
Eval Injection
VEXLIT-023
+ 6,200 SAST rules and 440+ secret detectors across 34 languages
Supported Languages
34 languages with taint analysis, sanitizer detection, and cross-function data flow tracking.
Systems
Scripting
Other
Infrastructure & IaC
Accuracy Verified on OWASP & NIST Benchmarks
Measured on industry-standard open benchmarks including OWASP Benchmark and NIST Juliet Test Suite. Every result is independently reproducible.
0%
Detection Rate
~2%
False Positive Rate
0+
Security Test Cases
What this means for your workflow
98% detection rate on OWASP Benchmark (2,740 cases) and NIST Juliet (6,800+ cases) - verified, not estimated.
~2% false positive rate with reachability analysis and context-aware detection - almost every finding is real and actionable.
Validated on real-world open source projects including WebGoat and NodeGoat.
How we test
Accuracy tested on industry-standard benchmarks. Reproduce results locally with the CLI.
Reproduce results locally →Methodology: Tested on OWASP Benchmark (2,740 cases) and NIST Juliet Test Suite (6,800+ cases) across 11 vulnerability categories. Results independently reproducible via CLI.
Built for your team
For Developers
Find vulnerabilities before merge. Scan your repo or paste code - get results in seconds with AI-generated fixes.
- Clear, actionable findings with AI explanations
- Fix issues in PRs, CI, or your IDE
- Ship faster with confidence - no noise
For Security & Team Leads
Standardize security checks across all repositories. CI/CD integration, SARIF reports, and trend tracking out of the box.
- High-signal results across SAST, SCA, and secrets
- Consistent policies and scan history across repos
- Measurable security posture with trend tracking
Compare with Other Tools
Side-by-side comparison based on Juliet/OWASP benchmark data.
| Feature | VEXLIT | Others |
|---|---|---|
| Free Unlimited Scans | Unlimited | Limited free / paid tiers |
| Cross-file Data Flow Analysis | Cross-file + interprocedural | Single-file focus |
| AI Auto-Fix + PR Generation | Auto-fix + auto PR generation | Fix suggestions only |
| False Positive Rate (Benchmark) | FPR 1.0% (Juliet 6,864 cases) | Not published / tuning needed |
| Language Support | 34 + 6 IaC | 10~25 |
| VSCode Real-time + Fix | Real-time + 132 Quick Fixes | Partial support |
| PR Auto-Block + Fix | Auto-block + AI fix commit | Manual review |
| Open Source CLI | MIT License | Closed source |
| DAST Runtime Scanning | 12,000+ checks (Team plan) | Not included or paid add-on |
| REST API | 6 endpoints + API Key auth | Available (varies by plan, often limited) |
| CSV / PDF Export | CSV (6 filters) + PDF report | Basic export or enterprise-only reporting |
| Start Without Credit Card | Instant start | Payment or install required |
Works where you build
Scan in your workflow - not around it. VEXLIT fits into the tools you already use.
CLI
Open-source (MIT). Local scans, CI/CD pipelines, pre-commit hooks.
VSCode
Real-time diagnostics, Quick Fix, hover explanations as you code.
GitHub
PR review comments, Security tab SARIF, auto-block critical PRs.
CI/CD
GitHub Actions, GitLab CI, any pipeline with npx @vexlit/cli.
SARIF / JSON
Standard output for dashboards, ticketing, and compliance workflows.
Web Dashboard
Scan history, trend charts, AI Fix, team visibility.
Secure your code today
Connect your GitHub repository and get a comprehensive security scan in seconds.
Get Started Free