VEXLIT integrates directly with GitHub - scanning repositories, annotating PRs with inline vulnerability comments, and uploading SARIF to your Security tab. One click to connect, zero config.
Teams merge dozens of PRs daily. Manual security reviews create bottlenecks, and critical vulnerabilities slip through when reviewers are overwhelmed.
100%
of PRs get automatic security review
< 30s
from PR open to security annotations
0
configuration files needed
name: Security
on: [pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: VEXLIT Scan
run: npx @vexlit/cli scan . --format sarif -o results.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif## VEXLIT Security Report | Severity | Count | |----------|-------| | Critical | 2 | | High | 5 | | Medium | 12 | > Line 45: SQL Injection (CWE-89) > User input flows into query without parameterization
Link your GitHub repository with one click. No configuration files, no setup scripts - just OAuth authorization.
Every pull request triggers a security scan. New and modified files are analyzed for vulnerabilities in real-time.
Vulnerable lines get inline comments with CWE details, severity, and AI-suggested fixes. Reviewers see issues in context.
Results upload to GitHub's Security tab automatically. Track all findings in one place with native GitHub integration.
VEXLIT integrates seamlessly with the tools your team already uses.
GitHub
GitLab
Bitbucket
Jenkins
VSCode
Reviewers spot security issues directly in the diff view - no context switching. Each vulnerable line shows CWE details and a suggested fix inline.
SARIF results flow into GitHub's Security tab automatically. One place for all findings - no extra dashboards to check.
Know your security posture at a glance. Vulnerability trends across commits show whether you're improving or regressing.
Set policies once, enforce forever. PRs with critical vulnerabilities are blocked automatically - your main branch stays clean.
VEXLIT becomes a required status check. No vulnerable code enters protected branches, period.
Track your security score over time. See exactly which categories improve and where to focus next.
“I built VEXLIT because every scanner I tried was either drowning me in false positives or missing real vulnerabilities. I wanted a tool that actually traces data flow - not just regex matching. So I built a taint analysis engine, verified it against industry benchmarks, and made the CLI free for everyone.”
Jihoon
Creator of VEXLIT
We use VEXLIT to scan VEXLIT's own codebase. Every commit runs through the same engine you use.
98.2%
True Positive Rate
< 2%
False Positive Rate
6,200+
Security Rules
34
Languages
Independently tested
Verified on OWASP Benchmark (2,740 cases) & Juliet Test Suite (6,864 cases)
Validated on real-world open source projects including WebGoat and NodeGoat.
VEXLIT detects security issues in your PR diff and annotates vulnerable lines directly.
app.get('/api/user', (req, res) => {
const userId = req.params.id;
const query = `SELECT * FROM users
WHERE id = '${userId}'`;
db.query(query, (err, rows) => {
res.json(rows);
});
});app.get('/api/user', (req, res) => {
const userId = req.params.id;
const query = 'SELECT * FROM users
WHERE id = ?';
db.query(query, [userId], (err, rows) => {
res.json(rows);
});
});User input 'req.params.id' flows directly into SQL query without parameterization.
| VEXLIT | CodeQL | Manual Review | |
|---|---|---|---|
| Setup Time | < 30 seconds | ~30 minutes | N/A |
| Scan Speed | < 10 seconds | 5-30 minutes | Hours |
| Language Support | 34 languages | 9 languages | Varies |
| AI Fix Suggestions | |||
| PR Inline Annotations | |||
| Zero Configuration |
Sign in with GitHub OAuth on the VEXLIT dashboard, then select which repositories to scan. No configuration files needed - scanning starts automatically on the next PR.
VEXLIT only reads file contents during active scans and does not store your source code. All analysis happens in real-time and results are stored as vulnerability metadata only.
Yes. VEXLIT supports both public and private repositories. The GitHub OAuth integration requests only the minimum permissions needed for scanning.
GitHub's Dependabot covers dependency vulnerabilities only. VEXLIT adds SAST (static analysis), secret detection, and SCA with 34 language support and AI-powered fix suggestions.
Yes. You can set severity thresholds (critical, high, medium, low) per repository or branch. Only findings above your threshold will block the merge.
Start securing your code today - free to use and ready in seconds.