Common questions from security buyers — covering data privacy, AI reliability, GitHub integration, and how Orbis AppSec compares to traditional security tools.
No. Code is analyzed in ephemeral, isolated environments and is never stored persistently or used to train Orbis AppSec's AI models. Each analysis job runs in a sandboxed container that is torn down immediately after the scan completes. Only the finding summary and fix diff are persisted — never raw source code.
Orbis AppSec does not log or store raw secret values. When a secret pattern is detected, the finding records the file location and pattern type (for example, "AWS access key in config.py") but redacts the actual value. Findings are stored in encrypted storage and are only accessible to authenticated members of your organization.
Orbis AppSec findings are mapped to CWE identifiers, OWASP Top 10, and CVE references where applicable. This makes it straightforward to demonstrate coverage under SOC 2, PCI DSS, HIPAA, and ISO 27001 security controls without manual cross-referencing.
Only users you authorize via your GitHub organization. Orbis AppSec uses GitHub's native permission model — scan results are associated with your repository and are only visible to repository members with appropriate access levels.
Every fix ships as a GitHub pull request — never auto-merged. Developers review the before/after diff, the AI-generated explanation, and references to the relevant CWE before deciding to merge. Your existing CI pipeline (tests, linting, type checks) runs on the fix PR just like any other PR, so any regression is caught before merge.
Orbis AppSec achieves roughly a 90% reduction in false positives compared to rule-only scanners. Before flagging an issue, the AI validates that a code path is actually reachable with attacker-controlled input and generates a plain-English explanation of why the finding is real. If the AI is not confident a finding is exploitable, it is suppressed rather than surfaced.
Python, JavaScript, TypeScript, Go, Java, C, C++, Ruby, PHP, and Rust are supported for static analysis (SAST). Dependency scanning (SCA) covers npm, pip, Maven, Go modules, Composer, and Bundler. Language coverage is continuously expanded.
Fixes are generated using patterns validated against thousands of real-world vulnerability remediation examples. Each fix is scoped to the minimum change required — Orbis AppSec does not refactor surrounding code or make stylistic changes. The PR description includes a full explanation so you can evaluate the fix before merging.
Orbis AppSec requires: read access to repository contents (to scan code), read/write access to pull requests (to open fix PRs and post comments), and read/write access to checks (to post scan status). It does not require admin access, secrets access, or organization-level permissions beyond what is needed for the selected repositories.
No. When you install the GitHub App, you explicitly select which repositories to grant access to. You can limit installation to a single repository or a subset, and you can revoke access at any time from GitHub's App settings — no action required on the Orbis AppSec side.
Under 2 minutes. Install the GitHub App from the Orbis AppSec dashboard, select the repositories to enable, and the first scan runs automatically on the next push or pull request event. No configuration files, no YAML pipelines, no API keys to manage.
Orbis AppSec is free for public repositories with no usage limits. For private repositories, a paid plan is required. There is no per-seat pricing for small teams.
Semgrep and CodeQL are detection tools — they find vulnerabilities and report them. Orbis AppSec starts there and goes further: it generates a production-ready fix and opens a GitHub PR automatically. You also don't need to write or maintain custom rules; Orbis AppSec uses AI context to reason about each finding rather than pattern-matching against a fixed rule set.
Partially. Semgrep has a rich ecosystem of custom rules that security teams write and maintain for proprietary patterns. If your team relies on custom Semgrep rules for domain-specific checks, those continue to make sense alongside Orbis AppSec. Where Orbis AppSec replaces Semgrep is in the remediation workflow: instead of reading a finding and manually writing a fix, Orbis AppSec opens the fix PR for you.
Yes. Orbis AppSec combines SAST (static analysis of your code) with SCA (software composition analysis of your dependencies). When a known CVE is found in a dependency, Orbis AppSec generates an upgrade recommendation and opens a PR with the safe version — with AI context on whether the CVE is actually exploitable in your code path.
Yes. Orbis AppSec is additive — it can run in parallel with Semgrep, CodeQL, or Snyk. The primary value is in remediation: existing tools surface findings that developers then have to research and fix manually. Orbis AppSec closes that loop automatically. Many teams run Orbis AppSec alongside their existing scanner, letting the scanner set policy and Orbis AppSec provide the fixes.
Join thousands of developers who trust Orbis AppSec to find and fix vulnerabilities before they become problems. Get started in under 2 minutes.