Security

AI writes fast. Coday makes sure it ships safely.

A managed security gate runs before every deploy. It looks for the vulnerabilities AI-written code most often introduces — and blocks the build when it finds them. No dashboards to wire up. No findings to triage in a separate tool.

01Coverage

What we check on every deploy.

Seven categories, run in parallel before the build starts. Six are always blocking; dependency CVEs use a conditional gate so the unfixable ones don't dead-end your deploy.

blocking

Secrets

gitleaks

AWS keys, API tokens, private keys, and other credentials accidentally committed to the repo. Blocked at SCANNING — your secret never reaches a built image.

blocking

SQL & Command Injection

semgrep — coday-injection-*

Raw SQL built from request input, Prisma $queryRawUnsafe with interpolation, exec/spawn with user-controlled args. The patterns most often introduced by AI-written code.

blocking

SSRF

semgrep — coday-ssrf-*

fetch / axios calls whose URL comes straight from req.body, req.query, req.params, or req.headers. Blocked before the deploy can become a proxy for internal services.

blocking

XSS

semgrep — coday-react-* / coday-dom-* / coday-eval-*

dangerouslySetInnerHTML, raw innerHTML writes, eval, new Function — every common DOM/React injection sink. Overridable per finding from the dashboard if you confirm the use is safe.

blocking

Auth-bypass / missing checks

semgrep — coday-auth-*

Next.js API route handlers exported without any session/auth call in scope. Whitelist covers better-auth, NextAuth, Clerk, and Coday-internal helpers; intentional public endpoints can be marked with a one-line opt-out.

blocking

Env leak

semgrep — coday-env-*

process.env values written to console, returned in API responses, or embedded in thrown errors. Stops the slow leak that turns into a secret rotation incident.

conditional

Dependency CVEs

pnpm audit / npm audit

Critical-severity advisories with a published patched version block the deploy. High/medium advisories — or critical advisories with no fix available — surface as warnings on the dashboard so you can decide.

02Flow

How the gate works.

Push

A git push to your default branch — or a manual redeploy from the dashboard.

Clone

Coday clones the repo into an ephemeral build environment.

Scan

gitleaks + semgrep + dependency audit run in parallel against the source.

Decide

Findings classified BLOCK or WARN. One blocking finding fails the deploy.

Ship or stop

WARN-only → build, deploy, HTTPS. BLOCK → deploy FAILED, finding details on the dashboard.

When a deploy is blocked, the dashboard's Security tab lists every finding: rule, file, line, severity, and remediation. Acknowledge a finding to downgrade it to a warning on the next deploy — the audit trail (who/why/when) stays in the database.

Read the docs

03OWASP

Where we sit on the OWASP Top 10.

Coday is not a complete OWASP Top 10 audit — that takes runtime testing and human review. The static deploy gate covers the categories with reliable patterns; everything else is honest about its scope below.

Item	Name	Coverage	Notes
A01	Broken Access Control	Partial (infra layer)	Multi-tenant database-per-project isolation + narrow GRANTs prevent cross-tenant access at the data layer. Per-endpoint authorization is the app developer's responsibility — Coday flags missing auth checks via the auth-bypass rule above but does not reason about resource ownership.
A03	Injection	Blocked at deploy	SQL injection (raw query template, $queryRawUnsafe, string-concat) and OS command injection (exec/spawn with user input) are blocking findings. See the Injection card above.
A05	Security Misconfiguration	Partial	process.env leakage into logs / responses / errors blocks the deploy. Broader misconfig (CORS, headers, framework defaults) is not in scope for the static gate.
A06	Vulnerable Components	Conditional (CVE gate)	pnpm/npm audit on every push. Critical-severity advisories with a patched version available block the deploy; everything else surfaces as a warning.
A07	Identification & Auth Failures	Partial	Missing authentication helpers in Next.js API routes block the deploy. Logic errors (role checks, IDOR, session fixation) are out of reach for a static-pattern scanner.
A10	SSRF	Blocked at deploy	fetch/axios calls whose URL comes from request input are blocking findings. See the SSRF card above.

Items not shown above (A02 Cryptographic Failures, A04 Insecure Design, A08 Integrity Failures, A09 Logging Failures) are not statically detectable by Coday's gate today. Cryptographic transport (TLS) is enforced at the load balancer.

04Self-applied

We hold ourselves to it too.

The same scanner that gates your deploy gates ours. If we ship something with a known critical patched CVE — or a hard-coded secret, or an injection sink — our own build fails the same way yours does.

Coday's own codebase: 0 known dependency vulnerabilities at last scan.

pnpm audit: clean

Ship through the gate.

Push a repo and watch the scan run before the build. If anything blocks, the dashboard tells you exactly what and where.

Deploy your first repo See pricing