Frequently Asked Questions

Everything you need to know

Common questions from security buyers — covering data privacy, AI reliability, GitHub integration, and how Orbis AppSec compares to traditional security tools.

Data Privacy

Is my source code stored or used to train AI models?

No. Code is analyzed in ephemeral, isolated environments and is never stored persistently or used to train Orbis AppSec's AI models. Each analysis job runs in a sandboxed container that is torn down immediately after the scan completes. Only the finding summary and fix diff are persisted — never raw source code.

What happens to secrets or credentials found in my code?

Orbis AppSec does not log or store raw secret values. When a secret pattern is detected, the finding records the file location and pattern type (for example, "AWS access key in config.py") but redacts the actual value. Findings are stored in encrypted storage and are only accessible to authenticated members of your organization.

How does Orbis AppSec map to compliance frameworks?

Orbis AppSec findings are mapped to CWE identifiers, OWASP Top 10, and CVE references where applicable. This makes it straightforward to demonstrate coverage under SOC 2, PCI DSS, HIPAA, and ISO 27001 security controls without manual cross-referencing.

Who can access my scan results and fix PRs?

Only users you authorize via your GitHub organization. Orbis AppSec uses GitHub's native permission model — scan results are associated with your repository and are only visible to repository members with appropriate access levels.

AI Reliability

How does Orbis AppSec ensure a fix doesn't break production?

Every fix ships as a GitHub pull request — never auto-merged. Developers review the before/after diff, the AI-generated explanation, and references to the relevant CWE before deciding to merge. Your existing CI pipeline (tests, linting, type checks) runs on the fix PR just like any other PR, so any regression is caught before merge.

How accurate is Orbis AppSec — what is the false positive rate?

Orbis AppSec achieves roughly a 90% reduction in false positives compared to rule-only scanners. Before flagging an issue, the AI validates that a code path is actually reachable with attacker-controlled input and generates a plain-English explanation of why the finding is real. If the AI is not confident a finding is exploitable, it is suppressed rather than surfaced.

What languages and frameworks are supported?

Python, JavaScript, TypeScript, Go, Java, C, C++, Ruby, PHP, and Rust are supported for static analysis (SAST). Dependency scanning (SCA) covers npm, pip, Maven, Go modules, Composer, and Bundler. Language coverage is continuously expanded.

Can I trust the AI-generated fix code?

Fixes are generated using patterns validated against thousands of real-world vulnerability remediation examples. Each fix is scoped to the minimum change required — Orbis AppSec does not refactor surrounding code or make stylistic changes. The PR description includes a full explanation so you can evaluate the fix before merging.

GitHub Integration

What GitHub permissions does the Orbis AppSec GitHub App require?

Orbis AppSec requires: read access to repository contents (to scan code), read/write access to pull requests (to open fix PRs and post comments), and read/write access to checks (to post scan status). It does not require admin access, secrets access, or organization-level permissions beyond what is needed for the selected repositories.

Does Orbis AppSec get access to all my repositories?

No. When you install the GitHub App, you explicitly select which repositories to grant access to. You can limit installation to a single repository or a subset, and you can revoke access at any time from GitHub's App settings — no action required on the Orbis AppSec side.

How long does setup take?

Under 2 minutes. Install the GitHub App from the Orbis AppSec dashboard, select the repositories to enable, and the first scan runs automatically on the next push or pull request event. No configuration files, no YAML pipelines, no API keys to manage.

Is Orbis AppSec free?

Orbis AppSec is free for public repositories with no usage limits. For private repositories, a paid plan is required. There is no per-seat pricing for small teams.

Comparison vs. Traditional SAST

How is Orbis AppSec different from Semgrep or CodeQL?

Semgrep and CodeQL are detection tools — they find vulnerabilities and report them. Orbis AppSec starts there and goes further: it generates a production-ready fix and opens a GitHub PR automatically. You also don't need to write or maintain custom rules; Orbis AppSec uses AI context to reason about each finding rather than pattern-matching against a fixed rule set.

Does Orbis AppSec replace Semgrep?

Partially. Semgrep has a rich ecosystem of custom rules that security teams write and maintain for proprietary patterns. If your team relies on custom Semgrep rules for domain-specific checks, those continue to make sense alongside Orbis AppSec. Where Orbis AppSec replaces Semgrep is in the remediation workflow: instead of reading a finding and manually writing a fix, Orbis AppSec opens the fix PR for you.

Does Orbis AppSec do dependency scanning (SCA) as well as code analysis (SAST)?

Yes. Orbis AppSec combines SAST (static analysis of your code) with SCA (software composition analysis of your dependencies). When a known CVE is found in a dependency, Orbis AppSec generates an upgrade recommendation and opens a PR with the safe version — with AI context on whether the CVE is actually exploitable in your code path.

Can Orbis AppSec work alongside our existing SAST tools?

Yes. Orbis AppSec is additive — it can run in parallel with Semgrep, CodeQL, or Snyk. The primary value is in remediation: existing tools surface findings that developers then have to research and fix manually. Orbis AppSec closes that loop automatically. Many teams run Orbis AppSec alongside their existing scanner, letting the scanner set policy and Orbis AppSec provide the fixes.

Ready to secure your code?

Join thousands of developers who trust Orbis AppSec to find and fix vulnerabilities before they become problems. Get started in under 2 minutes.

Free for public reposNo credit card requiredSetup in 2 minutes