AI News HubLIVE
In-site rewrite6 min read

ZenVeil: Security Scanning for AI-Generated Code

ZenVeil is an AI-native DevSecOps tool that scans code produced by AI coding tools (Copilot, Cursor, Claude) for security vulnerabilities and opens GitHub PRs to fix them in under 30 seconds. It detects secrets, supply chain issues, and OWASP top 10 vulnerabilities, and is specifically tuned for the failure modes of AI-generated code.

SourceHacker News AIAuthor: Rachel28

AI-native DevSecOps · pip install zenveil

AI writes your code. ZenVeil secures it.

Copilot autocompletes hardcoded secrets. Cursor's multi-file edits leave inconsistent auth checks. Claude Code's long sessions pull outdated, vulnerable dependencies. ZenVeil catches what's specific to each in under 30 seconds and opens the fix as a GitHub PR.

Watch a breach

No signup for public repos

Read-only

Code never stored

Results in seconds

zenveil — ai-native security scan

~

$

zenveil scan github myorg/payments-api

Scan complete — 4 findings across 3 scanners

ID

SEVERITY

SCANNER

OWASP

TITLE

LOCATION

ZV-A1B2C3

CRITICAL

secrets

A02:2021

AWS access key exposed

src/config.py:42

ZV-D4E5F6

HIGH

supply_chain

A06:2021

lodash CVE-2021-23337 CVSS 9.1

package.json:12

ZV-G7H8I9

MEDIUM

sast

A03:2021

SQL injection via f-string

api/users.py:127

ZV-J1K2L3

LOW

supply_chain

A06:2021

Unpinned dependency

requirements.txt:3

$

zenveil fix ZV-A1B2C3 --auto-pr --repo myorg/payments-api

✓ Opened PR #47: github.com/myorg/payments-api/pull/47

Rotated key, purged from history, added to .gitignore

Findings

4 critical caught

Time to fix

PR opened · 12s

Scan speed

47 files · 22s

Built for teams using AI coding tools

GitHub Copilot

Cursor

Claude

Tabnine

Python

Node.js

Go

Rust

Ruby

OWASP Top 10

CVE Database

200+ secret patterns

By the numbers

Security that moves at dev speed.

+27% YoY

83%

of devs use AI coding tools

GitHub Octoverse 2024

14

findings

avg per repo scan

secrets · CVEs · OWASP

−90% vs. SAST

>"

// Resolved from env at test setup

GitHub Actions

No built-in scan; depends on whichever workflow you wire in.

Snyk / Semgrep

Catches several common token shapes via their secret rules.

Claude / ChatGPT Review

Reviewer often skims JSON fixtures and lets shape-only matches through.

ZenVeil

Ships rules for AWS, GitHub, Stripe, Slack, JWT, and private-key shapes; flags this as Critical.

Fixture committed with a token shaped like sk_live_…. If real, it is now in git history and may need rotation.

Why AI produces this: Models often pad fixtures with realistic-looking values rather than placeholders. The prefix shape matches a real Stripe secret key.

ZenVeil's suggested fix — opens as a PR

-

"api_key": "sk_live_4eC39HqLyjWDarjtT1zdp7dc"

+

"api_key": ">"

// Resolved from env at test setup

GitHub Actions

No built-in scan; depends on whichever workflow you wire in.

Snyk / Semgrep

Catches several common token shapes via their secret rules.

Claude / ChatGPT Review

Reviewer often skims JSON fixtures and lets shape-only matches through.

ZenVeil

Ships rules for AWS, GitHub, Stripe, Slack, JWT, and private-key shapes; flags this as Critical.

Endpoint resolves a project by id and returns its fields without verifying the caller owns the project. Any authenticated user can read any project.

Why AI produces this: Generators frequently scaffold the data path before the access-control path, and the auth check is the easiest piece to drop on a refactor.

ZenVeil's suggested fix — opens as a PR

-

router.get('/api/projects/:id', getProject)

+

router.get('/api/projects/:id',

+

requireProjectOwner, // authorize before handler

+

getProject)

GitHub Actions

Nothing built in; would require a custom rule per framework.

Snyk / Semgrep

Possible with a hand-written rule per route convention, if already written.

Claude / ChatGPT Review

May catch on a clean PR; reviewer-as-author often misses the same omission it produced.

ZenVeil

Static analysis of route handlers — flags resource-scoped routes that lack an authorization gate.

Auth token is written to localStorage, exposing it to any XSS payload in the page. Recommended pattern is an HttpOnly, Secure cookie.

Why AI produces this: localStorage is the model's default suggestion for token storage in React tutorials; it is also the default attack surface.

ZenVeil's suggested fix — opens as a PR

-

localStorage.setItem('token', token)

+

// Server sets HttpOnly cookie on /login response:

+

// Set-Cookie: session=...; HttpOnly; Secure; SameSite=Lax

GitHub Actions

Not detected without a custom rule.

Snyk / Semgrep

Detectable with a custom rule; not in the default ruleset.

Claude / ChatGPT Review

Sometimes flagged; depends on whether the reviewer is prompted to look for it.

ZenVeil

Ships this rule out of the box; flags localStorage and sessionStorage token writes.

The deployed source map at main.js.map returns HTTP 200 with 127 referenced source files. Attackers can reconstruct the full application source, discover internal routes, and accelerate vulnerability research.

Why AI produces this: Vite and webpack are often scaffolded with sourcemap: true in dev configs that ship unchanged to production. The generated build artifact includes the sourceMappingURL comment, making the map retrievable.

ZenVeil's suggested fix — opens as a PR

// vite.config.ts

-

build: { sourcemap: true }

+

build: { sourcemap: false } // or 'hidden'

GitHub Actions

No built-in check for deployed asset exposure.

Snyk / Semgrep

Snyk focuses on packages, not deployed asset exposure.

Claude / ChatGPT Review

Code review does not check deployed URLs.

ZenVeil

Web-scan mode probes JS assets for adjacent .map files and validates content before flagging.

package.json mixes an internal-looking scope with an unscoped dependency, exposing the install path to a public-registry hijack.

Why AI produces this: Models tend to generate plausible package names without regard for which registry actually owns them, especially on first-time scaffolds.

ZenVeil's suggested fix — opens as a PR

.npmrc — pin scope to internal registry

+

@acme:registry=https://npm.acme.internal/

+

always-auth=true

GitHub Actions

No built-in dependency-confusion check; relies on whatever scanner you call.

Snyk / Semgrep

Snyk surfaces some confusion patterns; Semgrep needs a custom HCL/JSON rule.

Claude / ChatGPT Review

Often passes; the manifest looks syntactically clean.

ZenVeil

Dedicated rule for dependency-confusion patterns in npm, pip, and other manifests.

See all findings in dashboard

How the scan works

🔒

Read-only analysis

Repos are cloned to an ephemeral sandbox. No write access. No persistence.

🚫

Code never stored

Source is deleted after the scan completes. Never used for training.

🔍

Verifiable findings

Each finding includes a file path and line you can confirm against the diff.

🧠

Built for AI-generated code

Detection rules are tuned for the failure modes AI produces at higher frequency.

60 seconds · Sandboxed · First finding free, no signup required Your code is never stored and never used for training.

Enterprise trust

Is your code safe with us? Here's the answer.

You shouldn't need to talk to sales to find out. Here's exactly what happens to your source when ZenVeil scans it.

Your GitHub repo

read-only OAuth scope

Ephemeral scan container

spun up per scan, destroyed after

Findings, in memory

never written to disk

PR opened on your repo

source code never leaves GitHub

SOC 2

Type II in progress

In progress

GDPR ready

Data processing compliant

Verified

Code never stored

Architecture guarantee

Enforced

Read-only tokens

GitHub OAuth scoped

Enforced

DPA available

On request for Enterprise

Available

security.txt

RFC 9116 compliant

Published

Built on

GitHub

Read-only OAuth · PR automation

OSV.dev

CVE & vulnerability data

OWASP Top 10

Vulnerability taxonomy

Product Hunt

Live now

Continuous security posture monitoring active

·

[email protected]

The AI agent trust layer

Every agent writes code differently. Every risk, covered.

A generic "we support AI tools" line is an afterthought. Each agent below has a distinct failure pattern — ZenVeil's rule engine is tuned to catch it specifically.

GitHub Copilot

Highest rate of hardcoded secrets in autocomplete suggestions — caught before the commit, not after.

Cursor

Multi-file agent edits frequently introduce inconsistent auth checks across touched routes.

Claude Code

Long autonomous sessions can pull outdated dependencies from training data — CVE-checked on every PR.

Also covered

OpenAI Codex

Task-runner agents commit directly — ZenVeil gates the branch before merge, not after an incident.

Gemini

Cross-language projects show elevated injection risk at language boundaries — shell, SQL, and template contexts.

Background CI agents

Unattended by design — ZenVeil is the only reviewer some of these commits will ever get.

How it works

From pip install to merged PR

Installed, scanned, explained, and fixed — in one terminal session.

01 Install

No account. No config. One line.

ZenVeil ships as a standard Python package — install it like anything else in your toolchain.

$

pip install zenveil

✓ Installed zenveil-cli

3 free scans/hour, no signup required

See the full step-by-step guide

CI/CD Integration

Drop it into any pipeline.

Add ZenVeil to your GitHub Actions workflow and automatically block PRs that introduce CRITICAL or HIGH severity findings. Security gates that run in seconds, not minutes.

Scans complete in under 30 seconds

Blocks merges on HIGH/CRITICAL findings

Auto-opens fix PRs from CI output

.github/workflows/zenveil.yml

YAML

ZenVeil Security Scan

name: Security Scan

on:

pull_request:

branches: [main]

jobs:

scan:

runs-on: ubuntu-latest

steps:

  • name: Install ZenVeil

run: pip install zenveil

  • name: Login

run: zenveil login ${{ secrets.ZENVEIL_API_KEY }}

  • name: Scan

run: zenveil scan github ${{ github.repository }}

--token ${{ secrets.GITHUB_TOKEN }}

Blocks merge on CRITICAL / HIGH

YAML · 28 lines

Capabilities

Security built for AI-assisted development

AI coding tools write fast and miss security basics. ZenVeil closes the gap — from secret detection to automated PR remediation, across your entire stack.

See a real finding

PR #47 opened · payments-api

AWS_KEY = "AKIA…"

+

AWS_KEY = os.environ[…]

Rotated · Purged · Merged

Auto-fix

Find and fix in one pull request

ZenVeil opens the remediation as a reviewable GitHub PR. From finding to merge, in your existing workflow — no dashboard to babysit, no findings to triage by hand.

3 secrets found

SECRETS FOUND · 3

AWS_ACCESS_KEY

AWS

STRIPE_SECRET_KEY

Stripe

GITHUB_TOKEN

GitHub

200+ patterns

Secret detection

AWS keys, GitHub tokens, JWT secrets, and passwords caught before they reach production. Regex + entropy analysis for near-zero false negatives.

osv.dev lookup · 3 matches

PACKAGE

CVE

CVSS

lodash 4.17.15

CVE-2021-23337

9.1

axios 0.21.1

CVE-2021-3749

7.5

moment 2.29.1

CVE-2022-31129

5.3

CVE lookups

Supply chain security

Floating dependency versions, missing lockfiles, and CVE lookups via OSV.dev. Know exactly what you're shipping before it ships.

explain · suggest fix

AI

EXPLAIN · SUGGEST FIX

The localStorage.setItem('token', …) pattern is an XSS exfiltration vector. Suggested fix: httpOnly cookie via server proxy.

Deterministic + LLM

Built for AI-generated code

Deterministic detection, LLM-assisted remediation. Our rule engine targets patterns AI generates at higher frequency — over-permissive configs, missing input validation, tokens in localStorage.

Early Access Feedback

Real devs. Real findings.

What engineers say after running ZenVeil on their first codebase — from indie makers to security teams shipping into regulated environments.

“ZenVeil caught a hardcoded Stripe secret sitting in our prod codebase for 6 months. Our pentester missed it. One command, 18 seconds — found, fixed, PR opened. It's now step one of our onboarding checklist.”

AM

Aisha M.

Backend Engineer

“I expected 400 noisy false positives. Instead I got 7 real findings with clear explanations and an auto-PR opened for 4 of them. That's genuinely impressive for a CLI tool.”

JP

Jordan P.

Senior Engineer

“Before every investor demo I run ZenV

[truncated for AI cost control]