Supply Chain Code Security

Stop supply chain attacks
before they merge.

Code Corgi hooks into your PR workflow and scans every changed file for invisible Unicode characters, look-alike glyphs, and obfuscated malware patterns — before a single line merges.

Start Free → Read the Docs
Unicode codepoints
<200ms
Webhook response
SOC2
Audit-ready
codecorgi scan — PR #4821
codecorgi scan --pr 4821
Fetching diff from GitHub Enterprise...
Scanning 12 files · Layer 1: Unicode
CRITICAL src/auth/token.go:47
U+202E RIGHT-TO-LEFT OVERRIDE in identifier
CRITICAL lib/utils/encode.js:112
Cyrillic 'о' substituted for Latin 'o'
Scanning · Layer 2: Semantic AST
HIGH lib/utils/encode.js:119
eval() call with non-literal argument
✖ 2 critical 1 high → PR blocked
Detection Layers

Three layers. Zero gaps.

Every PR is scanned in parallel across Unicode normalization, homoglyph analysis, and AST semantic patterns — all within your 200ms webhook budget.

Layer 1

Unicode & Invisible Characters

Detects BiDi overrides (U+202E), zero-width joiners, soft hyphens, and all Unicode confusables across every changed line.

α
Layer 1

Homoglyph Analysis

Cross-script lookalike detection using the full Unicode confusables.txt map — Cyrillic а vs Latin a, Greek ο vs Latin o, and 2,700+ more pairs.

</>
Layer 2

Semantic AST Scanning

tree-sitter-powered AST analysis for Go, JavaScript, TypeScript, and Python. Catches eval(), dynamic imports, base64 payloads, and subprocess shell=True.

Integration

Native VCS Support

GitHub, GitHub Enterprise, GitLab self-hosted, Bitbucket, and Azure DevOps. HMAC webhook verification on every payload.

Infrastructure

Kubernetes-Native & Air-Gap

Full Helm chart with Vault sidecar, KEDA autoscaling, NetworkPolicy, and an air-gap bundle script for isolated environments.

Compliance

SOC2-Ready Audit Trail

PostgreSQL append-only audit log with INSERT-only role enforcement, data residency routing, and GDPR-compliant retention.

Pipeline

How Code Corgi works

01

Connect your VCS

Point your GitHub, GitLab, Bitbucket, or Azure DevOps webhook at Code Corgi. HMAC verification is enforced automatically.

HTTP 202 returned in < 200ms
02

Three-layer async scan

Unicode normalization, homoglyph mapping, and AST semantic analysis run in parallel across every changed file in the PR diff.

p99 < 30s for a 100-file diff
03

Block, warn, or pass

Risk score is compared against your per-org policy thresholds. Findings post as PR status checks, Slack messages, and SIEM events.

Full audit trail in PostgreSQL
Pricing

Simple pricing. No surprises.

Starter
$299 per month
  • Up to 25 repositories
  • Unicode & homoglyph scan
  • AST semantic scanning
  • Basic severity reports
  • 90-day finding history
  • Email support
Get Started
Most Popular
Growth
$799 per month
  • Up to 100 repositories
  • Full 3-layer detection
  • Slack & webhook alerts
  • REST export API
  • 1-year finding history
  • Custom risk thresholds
  • Anomaly baseline detection
  • Priority support (24h SLA)
Start Growth Trial
Enterprise
Custom contact us
  • Unlimited repositories
  • Air-gap / on-premise install
  • HashiCorp Vault integration
  • SSO / SAML / OIDC
  • SOC2 audit export
  • Custom detection rules
  • Dedicated SRE support
Talk to Sales
Get Started

Ready to secure your PRs?

Drop us a note and we'll get Code Corgi running on your repos within the day.