ZenVeil: Security Scanning for AI-Generated Code
ZenVeil is an AI-native DevSecOps tool that scans code produced by AI coding tools (Copilot, Cursor, Claude) for security vulnerabilities and opens GitHub PRs to fix them in under 30 seconds. It detects secrets, supply chain issues, and OWASP top 10 vulnerabilities, and is specifically tuned for the failure modes of AI-generated code.
AI-native DevSecOps · pip install zenveil
AI writes your code. ZenVeil secures it.
Copilot autocompletes hardcoded secrets. Cursor's multi-file edits leave inconsistent auth checks. Claude Code's long sessions pull outdated, vulnerable dependencies. ZenVeil catches what's specific to each in under 30 seconds and opens the fix as a GitHub PR.
Watch a breach
No signup for public repos
•
Read-only
•
Code never stored
•
Results in seconds
zenveil — ai-native security scan
~
$
zenveil scan github myorg/payments-api
✓
Scan complete — 4 findings across 3 scanners
ID
SEVERITY
SCANNER
OWASP
TITLE
LOCATION
ZV-A1B2C3
CRITICAL
secrets
A02:2021
AWS access key exposed
src/config.py:42
ZV-D4E5F6
HIGH
supply_chain
A06:2021
lodash CVE-2021-23337 CVSS 9.1
package.json:12
ZV-G7H8I9
MEDIUM
sast
A03:2021
SQL injection via f-string
api/users.py:127
ZV-J1K2L3
LOW
supply_chain
A06:2021
Unpinned dependency
requirements.txt:3
$
zenveil fix ZV-A1B2C3 --auto-pr --repo myorg/payments-api
✓ Opened PR #47: github.com/myorg/payments-api/pull/47
Rotated key, purged from history, added to .gitignore
Findings
4 critical caught
Time to fix
PR opened · 12s
Scan speed
47 files · 22s
Built for teams using AI coding tools
GitHub Copilot
Cursor
Claude
Tabnine
Python
Node.js
Go
Rust
Ruby
OWASP Top 10
CVE Database
200+ secret patterns
By the numbers
Security that moves at dev speed.
+27% YoY
83%
of devs use AI coding tools
GitHub Octoverse 2024
14
findings
avg per repo scan
secrets · CVEs · OWASP
−90% vs. SAST
>"
// Resolved from env at test setup
GitHub Actions
No built-in scan; depends on whichever workflow you wire in.
Snyk / Semgrep
Catches several common token shapes via their secret rules.
Claude / ChatGPT Review
Reviewer often skims JSON fixtures and lets shape-only matches through.
ZenVeil
Ships rules for AWS, GitHub, Stripe, Slack, JWT, and private-key shapes; flags this as Critical.
Fixture committed with a token shaped like sk_live_…. If real, it is now in git history and may need rotation.
Why AI produces this: Models often pad fixtures with realistic-looking values rather than placeholders. The prefix shape matches a real Stripe secret key.
ZenVeil's suggested fix — opens as a PR
-
"api_key": "sk_live_4eC39HqLyjWDarjtT1zdp7dc"
+
"api_key": ">"
// Resolved from env at test setup
GitHub Actions
No built-in scan; depends on whichever workflow you wire in.
Snyk / Semgrep
Catches several common token shapes via their secret rules.
Claude / ChatGPT Review
Reviewer often skims JSON fixtures and lets shape-only matches through.
ZenVeil
Ships rules for AWS, GitHub, Stripe, Slack, JWT, and private-key shapes; flags this as Critical.
Endpoint resolves a project by id and returns its fields without verifying the caller owns the project. Any authenticated user can read any project.
Why AI produces this: Generators frequently scaffold the data path before the access-control path, and the auth check is the easiest piece to drop on a refactor.
ZenVeil's suggested fix — opens as a PR
-
router.get('/api/projects/:id', getProject)
+
router.get('/api/projects/:id',
+
requireProjectOwner, // authorize before handler
+
getProject)
GitHub Actions
Nothing built in; would require a custom rule per framework.
Snyk / Semgrep
Possible with a hand-written rule per route convention, if already written.
Claude / ChatGPT Review
May catch on a clean PR; reviewer-as-author often misses the same omission it produced.
ZenVeil
Static analysis of route handlers — flags resource-scoped routes that lack an authorization gate.
Auth token is written to localStorage, exposing it to any XSS payload in the page. Recommended pattern is an HttpOnly, Secure cookie.
Why AI produces this: localStorage is the model's default suggestion for token storage in React tutorials; it is also the default attack surface.
ZenVeil's suggested fix — opens as a PR
-
localStorage.setItem('token', token)
+
// Server sets HttpOnly cookie on /login response:
+
// Set-Cookie: session=...; HttpOnly; Secure; SameSite=Lax
GitHub Actions
Not detected without a custom rule.
Snyk / Semgrep
Detectable with a custom rule; not in the default ruleset.
Claude / ChatGPT Review
Sometimes flagged; depends on whether the reviewer is prompted to look for it.
ZenVeil
Ships this rule out of the box; flags localStorage and sessionStorage token writes.
The deployed source map at main.js.map returns HTTP 200 with 127 referenced source files. Attackers can reconstruct the full application source, discover internal routes, and accelerate vulnerability research.
Why AI produces this: Vite and webpack are often scaffolded with sourcemap: true in dev configs that ship unchanged to production. The generated build artifact includes the sourceMappingURL comment, making the map retrievable.
ZenVeil's suggested fix — opens as a PR
// vite.config.ts
-
build: { sourcemap: true }
+
build: { sourcemap: false } // or 'hidden'
GitHub Actions
No built-in check for deployed asset exposure.
Snyk / Semgrep
Snyk focuses on packages, not deployed asset exposure.
Claude / ChatGPT Review
Code review does not check deployed URLs.
ZenVeil
Web-scan mode probes JS assets for adjacent .map files and validates content before flagging.
package.json mixes an internal-looking scope with an unscoped dependency, exposing the install path to a public-registry hijack.
Why AI produces this: Models tend to generate plausible package names without regard for which registry actually owns them, especially on first-time scaffolds.
ZenVeil's suggested fix — opens as a PR
.npmrc — pin scope to internal registry
+
@acme:registry=https://npm.acme.internal/
+
always-auth=true
GitHub Actions
No built-in dependency-confusion check; relies on whatever scanner you call.
Snyk / Semgrep
Snyk surfaces some confusion patterns; Semgrep needs a custom HCL/JSON rule.
Claude / ChatGPT Review
Often passes; the manifest looks syntactically clean.
ZenVeil
Dedicated rule for dependency-confusion patterns in npm, pip, and other manifests.
See all findings in dashboard
How the scan works
🔒
Read-only analysis
Repos are cloned to an ephemeral sandbox. No write access. No persistence.
🚫
Code never stored
Source is deleted after the scan completes. Never used for training.
🔍
Verifiable findings
Each finding includes a file path and line you can confirm against the diff.
🧠
Built for AI-generated code
Detection rules are tuned for the failure modes AI produces at higher frequency.
60 seconds · Sandboxed · First finding free, no signup required Your code is never stored and never used for training.
Enterprise trust
Is your code safe with us? Here's the answer.
You shouldn't need to talk to sales to find out. Here's exactly what happens to your source when ZenVeil scans it.
Your GitHub repo
read-only OAuth scope
Ephemeral scan container
spun up per scan, destroyed after
Findings, in memory
never written to disk
PR opened on your repo
source code never leaves GitHub
SOC 2
Type II in progress
In progress
GDPR ready
Data processing compliant
Verified
Code never stored
Architecture guarantee
Enforced
Read-only tokens
GitHub OAuth scoped
Enforced
DPA available
On request for Enterprise
Available
security.txt
RFC 9116 compliant
Published
Built on
GitHub
Read-only OAuth · PR automation
OSV.dev
CVE & vulnerability data
OWASP Top 10
Vulnerability taxonomy
Product Hunt
Live now
Continuous security posture monitoring active
·
[email protected]
The AI agent trust layer
Every agent writes code differently. Every risk, covered.
A generic "we support AI tools" line is an afterthought. Each agent below has a distinct failure pattern — ZenVeil's rule engine is tuned to catch it specifically.
GitHub Copilot
Highest rate of hardcoded secrets in autocomplete suggestions — caught before the commit, not after.
Cursor
Multi-file agent edits frequently introduce inconsistent auth checks across touched routes.
Claude Code
Long autonomous sessions can pull outdated dependencies from training data — CVE-checked on every PR.
Also covered
OpenAI Codex
Task-runner agents commit directly — ZenVeil gates the branch before merge, not after an incident.
Gemini
Cross-language projects show elevated injection risk at language boundaries — shell, SQL, and template contexts.
Background CI agents
Unattended by design — ZenVeil is the only reviewer some of these commits will ever get.
How it works
From pip install to merged PR
Installed, scanned, explained, and fixed — in one terminal session.
01 Install
No account. No config. One line.
ZenVeil ships as a standard Python package — install it like anything else in your toolchain.
$
pip install zenveil
✓ Installed zenveil-cli
3 free scans/hour, no signup required
See the full step-by-step guide
CI/CD Integration
Drop it into any pipeline.
Add ZenVeil to your GitHub Actions workflow and automatically block PRs that introduce CRITICAL or HIGH severity findings. Security gates that run in seconds, not minutes.
Scans complete in under 30 seconds
Blocks merges on HIGH/CRITICAL findings
Auto-opens fix PRs from CI output
.github/workflows/zenveil.yml
YAML
ZenVeil Security Scan
name: Security Scan
on:
pull_request:
branches: [main]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- name: Install ZenVeil
run: pip install zenveil
- name: Login
run: zenveil login ${{ secrets.ZENVEIL_API_KEY }}
- name: Scan
run: zenveil scan github ${{ github.repository }}
--token ${{ secrets.GITHUB_TOKEN }}
Blocks merge on CRITICAL / HIGH
YAML · 28 lines
Capabilities
Security built for AI-assisted development
AI coding tools write fast and miss security basics. ZenVeil closes the gap — from secret detection to automated PR remediation, across your entire stack.
See a real finding
PR #47 opened · payments-api
−
AWS_KEY = "AKIA…"
+
AWS_KEY = os.environ[…]
Rotated · Purged · Merged
Auto-fix
Find and fix in one pull request
ZenVeil opens the remediation as a reviewable GitHub PR. From finding to merge, in your existing workflow — no dashboard to babysit, no findings to triage by hand.
3 secrets found
SECRETS FOUND · 3
AWS_ACCESS_KEY
AWS
STRIPE_SECRET_KEY
Stripe
GITHUB_TOKEN
GitHub
200+ patterns
Secret detection
AWS keys, GitHub tokens, JWT secrets, and passwords caught before they reach production. Regex + entropy analysis for near-zero false negatives.
osv.dev lookup · 3 matches
PACKAGE
CVE
CVSS
lodash 4.17.15
CVE-2021-23337
9.1
axios 0.21.1
CVE-2021-3749
7.5
moment 2.29.1
CVE-2022-31129
5.3
CVE lookups
Supply chain security
Floating dependency versions, missing lockfiles, and CVE lookups via OSV.dev. Know exactly what you're shipping before it ships.
explain · suggest fix
AI
EXPLAIN · SUGGEST FIX
The localStorage.setItem('token', …) pattern is an XSS exfiltration vector. Suggested fix: httpOnly cookie via server proxy.
Deterministic + LLM
Built for AI-generated code
Deterministic detection, LLM-assisted remediation. Our rule engine targets patterns AI generates at higher frequency — over-permissive configs, missing input validation, tokens in localStorage.
Early Access Feedback
Real devs. Real findings.
What engineers say after running ZenVeil on their first codebase — from indie makers to security teams shipping into regulated environments.
“ZenVeil caught a hardcoded Stripe secret sitting in our prod codebase for 6 months. Our pentester missed it. One command, 18 seconds — found, fixed, PR opened. It's now step one of our onboarding checklist.”
AM
Aisha M.
Backend Engineer
“I expected 400 noisy false positives. Instead I got 7 real findings with clear explanations and an auto-PR opened for 4 of them. That's genuinely impressive for a CLI tool.”
JP
Jordan P.
Senior Engineer
“Before every investor demo I run ZenV
[truncated for AI cost control]