Integrations
Connect Code Corgi with GitHub, GitLab, Bitbucket, Slack, and companion security tools.
Integrations
GitHub
Code Corgi integrates with GitHub as a GitHub App.
Install
- Go to Settings → Install Code Corgi in the dashboard
- Click Install on GitHub
- Grant access to the repositories you want to protect
- Code Corgi will immediately begin scanning new pull requests
What it does
After installation, Code Corgi registers a webhook on your repositories for pull_request events. When a PR is opened or updated:
- The diff is fetched via the GitHub API
- A scan job is queued and processed (typically under 5 seconds)
- A check run is posted to the PR with results
- If findings are detected, the check run fails and a summary comment is posted
Required permissions
| Permission | Reason |
|---|---|
pull_requests: read | Fetch PR diffs |
checks: write | Post check run results |
statuses: write | Post commit status (fallback) |
contents: read | Read phantomcorgi.yaml configuration file |
Code Corgi never requests write access to your code.
GitLab
GitLab integration uses a GitLab webhook + pipeline status API.
Install
- In your GitLab project, go to Settings → Webhooks
- Add your Code Corgi webhook URL (found in Settings → Integrations in the dashboard)
- Select the Merge request events trigger
- Copy your project’s access token into the Code Corgi dashboard
Code Corgi will post findings as pipeline status checks on merge requests.
Bitbucket Cloud
- In Bitbucket, go to Repository settings → Webhooks → Add webhook
- Use the Code Corgi webhook URL from the dashboard
- Select Pull Request: Created and Pull Request: Updated triggers
- Add the repository access token in the dashboard
Slack
Receive real-time alerts when high-severity findings are detected.
Setup
- Go to Settings → Notifications → Slack in the dashboard
- Click Connect Slack and authorise the Code Corgi Slack app
- Choose the channel to post to
- Select the minimum severity for alerts (default:
high)
Alert format
🔴 Code Corgi — High severity finding
Repository: acme/backend
PR #142: feat/auth-refactor
Rule: bidi_override
File: src/auth/middleware.ts:42
Description: Bidirectional override character detected in identifier
→ View finding
CI/CD (generic webhook)
Any CI/CD system that supports outbound webhooks can trigger Code Corgi scans via the REST API. See the API Reference for the POST /v1/scans endpoint.
Example GitHub Actions step:
- name: Trigger Code Corgi scan
run: |
curl -s -X POST https://api.phantomcorgi.com/v1/scans \
-H "Authorization: Bearer ${{ secrets.PHANTOMCORGI_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{
"repository": "${{ github.repository }}",
"pr_number": ${{ github.event.pull_request.number }},
"commit_sha": "${{ github.sha }}"
}'
Calendar Sentry
Calendar Sentry (powered by PhantomCorgi) is a Node.js security patch from the same team that protects AI assistants from prompt injection attacks delivered through external inputs — calendar invitations, emails, documents, and other content the AI reads on behalf of users.
Why they complement each other
Code Corgi protects your source code from attacks that hide in the characters of your codebase. Calendar Sentry protects the AI tools your developers use from attacks that hide in the data those tools consume.
Both attack vectors exploit the same fundamental gap: the space between what something looks like and what it does. Attackers who can’t get malicious code past Code Corgi may instead try to compromise developer AI tools via prompt injection — Calendar Sentry closes that second vector.
What Calendar Sentry does
The framework intercepts external inputs before they reach any AI tool and applies:
- Input sanitisation — strips XSS, SQL injection, path traversal, and prompt injection patterns
- JWT + API key security — replaces weak token implementations with
jsonwebtoken+ AES-256 encrypted key storage - Security middleware — CSRF protection, rate limiting, CORS validation, security headers
- Threat detection — real-time analysis with configurable severity thresholds
JavaScript and Python SDKs are available:
const SecurityPatchAPI = require('@phantomcorgi/calendar-sentry');
const api = new SecurityPatchAPI({ apiKey: 'your-key' });
const result = await api.security.test({ input: externalContent, userId: 'u1' });
if (result.securityScore < 0.8) {
// Block before passing to AI
}
Integration with Code Corgi
Both tools share a compatible webhook event format:
{
"source": "Calendar Sentry",
"event": "injection_detected",
"input_source": "calendar_event",
"payload_type": "instruction_override",
"severity": "high",
"timestamp": "2026-03-10T09:15:00Z"
}
Route events from both tools to a single SIEM or Slack channel for unified visibility.
GitHub: github.com/PhantomCorgi-Inc/phantomcorgi
API Phantom
API Phantom (powered by API Phantom) is a companion security framework that addresses the full range of vulnerabilities common in AI-generated (vibe-coded) Node.js applications — from hardcoded secrets and weak auth to missing compliance controls.
Why they complement each other
Code Corgi catches security issues in code before it merges. API Phantom protects applications at runtime. Running both creates defence in depth across the entire software lifecycle.
| Stage | Tool | What it catches |
|---|---|---|
| Pull request | Code Corgi | Unicode attacks, homoglyphs, hardcoded secrets in diffs |
| Runtime | API Phantom | Injection attacks, auth bypass, compliance violations |
A secret that slips through a pre-commit hook is caught by Code Corgi at PR time. A vulnerability that ships despite review is mitigated at runtime by the security middleware.
Quick start
npm install @phantomcorgi/api-phantom
const express = require('express');
const { SecurityManager } = require('@phantomcorgi/api-phantom');
const app = express();
const securityManager = new SecurityManager({
secrets: { vaultPath: '.vault' },
auth: { secretKey: process.env.JWT_SECRET }
});
app.use(securityManager.createExpressMiddleware());
Scan any existing codebase
npx vibecoded-security-scan
npx vibecoded-security-scan --dir ./src --report security-report.json
The scanner detects hardcoded secrets, SQL injection, XSS, authentication weaknesses, input validation gaps, and dependency vulnerabilities.
Compliance automation
const { ComplianceManager } = require('@phantomcorgi/api-phantom');
const compliance = new ComplianceManager({ standards: ['PCI_DSS', 'GDPR', 'SOC2'] });
const audit = await compliance.runComplianceAudit();
// { overallScore: 87, violations: [...] }
Supports PCI DSS 4.0, GDPR, SOC2, and HIPAA.