Skip to main content
The web app wraps the same scan engine the CLI uses, and adds the parts that don’t make sense in a one-shot binary:
  • Sign in with GitHub. Identity is established via Supabase Auth’s GitHub provider.
  • Organizations. Repos, scans, findings, triage, and rule settings are shared per organization; invite teammates by email with admin/member roles. Every account starts with a personal organization.
  • Connect a GitHub account or organization. A separate GitHub App grants the API read-only access to repo workflows.
  • Continuous posture across every repo. One scan per repo, orchestrated client-side with bounded concurrency.
  • Monitored repos. Opt a repo in and every push to its default branch triggers an automatic scan via GitHub webhooks — no clicking required.
  • New-finding diffing & triage. Findings are tracked across scans by a stable fingerprint: see what’s NEW since the last scan, and dismiss / accept-risk / mark-false-positive findings so posture counts reflect real risk.
  • Slack notifications. When an automatic scan of a monitored repo finds new issues, get a message in your channel — quiet otherwise.
  • History and trends. Every scan persists to Postgres with row-level security scoped to organization membership.
  • Cross-repo insights. A worst-rules ranking across the organization with per-repo drill-downs, plus org-wide CSV/JSON export.
  • Deep links back to GitHub. Each finding links to the exact file:line on the default branch.

Pages

RouteWhat
/loginGitHub OAuth login via Supabase Auth.
/connectPrompts you to install the GitHub App on accounts/orgs.
/connect/callbackReceives installation_id from GitHub and links it to the signed-in user.
/dashboardAggregate posture, donut by severity, trend chart, “scan all” button.
/repositoriesAll connected repos with per-repo severity counts. Search by name, filter findings by severity (counts narrow to the chosen level), sort, and toggle monitoring per repo.
/repositories/:idPer-repo finding list, an Attacker Mind card with this repo’s toxic combinations, plus a card to override rule settings for this repo. An Export button (enabled once the repo has been scanned) downloads the latest results as JSON (findings + toxic combinations, matching the CLI’s -o json) or CSV (findings only).
/attacker-mindCross-repo toxic combinations. Search by name, filter by criticality, and sort.
/insightsWorst-rules ranking across the organization (triage-aware), with per-repo drill-down and org-wide CSV/JSON export.
/landscapeOwner-only OSS Posture Survey — upload a survey JSON (from the survey CLI) and explore findings + Attacker Mind for open-source repos. Search by name, filter findings by severity and combinations by criticality, and sort. The file is parsed in your browser; nothing is uploaded.
/rulesPer-user rule settings — disable rules you don’t care about globally or per repository.
/settingsOrganization members & invites, plus account settings — Slack notifications for new findings on monitored repos.

Data flow

You click "Scan all"
  → SPA loops repos with bounded concurrency
    → POST /api/scan { repo_id } (one request per repo)
      → Go API fetches .github/workflows/* via GitHub API
      → scanner.ScanBytes(name, content)        ←── same engine as CLI
      → write scan + findings to Postgres (pgx, service role)
    → response includes severity counts + scan_id
  → SPA updates posture donut + trend line live
No git clone happens server-side — the API pulls workflow YAML via the GitHub Git Trees/Blobs API and scans the bytes in memory. Each per-repo request fits comfortably in a serverless time budget.

Read/write split around RLS

The React app reads from Postgres directly through supabase-js. Every table has row-level security scoped to organization membership, so users can only see rows of organizations they belong to even though they’re hitting Postgres directly with their JWT.
The Go API only does the privileged work — minting GitHub installation tokens, fetching workflow YAML, scanning, and writing scans + findings via pgx as the service role (which bypasses RLS).

Next

GitHub setup

Connect a GitHub account or org so the dashboard can scan its workflows.

Rule settings

Disable rules you don’t care about — globally or per repository.

API reference

The HTTP endpoints under /api/* if you want to drive scans programmatically.