- Sign in with GitHub. Identity is established via Supabase Auth’s GitHub provider.
- Organizations. Repos, scans, findings, triage, and rule settings are shared per organization; invite teammates by email with admin/member roles. Every account starts with a personal organization.
- Connect a GitHub account or organization. A separate GitHub App grants the API read-only access to repo workflows.
- Continuous posture across every repo. One scan per repo, orchestrated client-side with bounded concurrency.
- Monitored repos. Opt a repo in and every push to its default branch triggers an automatic scan via GitHub webhooks — no clicking required.
- New-finding diffing & triage. Findings are tracked across scans by a stable fingerprint: see what’s NEW since the last scan, and dismiss / accept-risk / mark-false-positive findings so posture counts reflect real risk.
- Slack notifications. When an automatic scan of a monitored repo finds new issues, get a message in your channel — quiet otherwise.
- History and trends. Every scan persists to Postgres with row-level security scoped to organization membership.
- Cross-repo insights. A worst-rules ranking across the organization with per-repo drill-downs, plus org-wide CSV/JSON export.
- Deep links back to GitHub. Each finding links to the exact
file:lineon the default branch.
Pages
| Route | What |
|---|---|
/login | GitHub OAuth login via Supabase Auth. |
/connect | Prompts you to install the GitHub App on accounts/orgs. |
/connect/callback | Receives installation_id from GitHub and links it to the signed-in user. |
/dashboard | Aggregate posture, donut by severity, trend chart, “scan all” button. |
/repositories | All connected repos with per-repo severity counts. Search by name, filter findings by severity (counts narrow to the chosen level), sort, and toggle monitoring per repo. |
/repositories/:id | Per-repo finding list, an Attacker Mind card with this repo’s toxic combinations, plus a card to override rule settings for this repo. An Export button (enabled once the repo has been scanned) downloads the latest results as JSON (findings + toxic combinations, matching the CLI’s -o json) or CSV (findings only). |
/attacker-mind | Cross-repo toxic combinations. Search by name, filter by criticality, and sort. |
/insights | Worst-rules ranking across the organization (triage-aware), with per-repo drill-down and org-wide CSV/JSON export. |
/landscape | Owner-only OSS Posture Survey — upload a survey JSON (from the survey CLI) and explore findings + Attacker Mind for open-source repos. Search by name, filter findings by severity and combinations by criticality, and sort. The file is parsed in your browser; nothing is uploaded. |
/rules | Per-user rule settings — disable rules you don’t care about globally or per repository. |
/settings | Organization members & invites, plus account settings — Slack notifications for new findings on monitored repos. |
Data flow
git clone happens server-side — the API pulls workflow YAML via the GitHub Git Trees/Blobs API and scans the bytes in memory. Each per-repo request fits comfortably in a serverless time budget.
Read/write split around RLS
The React app reads from Postgres directly through supabase-js. Every table has row-level security scoped to organization membership, so users can only see rows of organizations they belong to even though they’re hitting Postgres directly with their JWT.
Next
GitHub setup
Connect a GitHub account or org so the dashboard can scan its workflows.
Rule settings
Disable rules you don’t care about — globally or per repository.
API reference
The HTTP endpoints under
/api/* if you want to drive scans programmatically.