Skip to Content
How It Works

How Vouch Works

Vouch runs a multi-stage analysis pipeline designed specifically for AI-generated codebases. Each layer catches a different class of issue — and each one feeds the next, so by the time a finding reaches your dashboard, it has survived multiple cross-checks.

The Pipeline

Code Intake

Three ways in:

  • GitHub App — automatic on every push and pull_request
  • Public APIPOST /scan-repo-url with a GitHub URL (API Reference)
  • Online Scanner — paste a snippet directly in the dashboard

All three feed the same downstream pipeline. There is no “lite” path.

Static Analysis

The first layer combines proven open-source scanners — Semgrep for code-pattern vulnerabilities, Gitleaks for hardcoded secrets, and npm-audit + pip-audit for known CVEs in your dependencies. These run in parallel inside an isolated compute environment so a single repo doesn’t tie up the API.

Route Surface Map

Before the AI layer runs, Vouch builds a complete map of every HTTP route in your codebase — automatic discovery across major web frameworks. This becomes structured context for the AI Hunter, so even routes living in files that didn’t make it into the main code window get checked for missing auth, rate-limiting, or input validation.

AI Hunter

This is where Vouch goes beyond traditional SAST tools. The AI Hunter examines your code through the lens of your actual stack and endpoint surface — looking not just at what the code does syntactically, but whether the resulting behavior is secure given how the pieces fit together. It catches logic-level vulnerabilities that pattern-based rules miss entirely: broken auth flows, IDORs, missing rate limits on sensitive endpoints, subtle data leaks in API responses.

AI Validator

AI analysis can produce false positives. Before any finding reaches your dashboard, the AI Validator re-examines each one in isolation with focused code context — discarding the noise and keeping only findings grounded in real risk. In practice this filters out roughly 70–80% of raw findings, which is why a typical Vouch report stays small and actionable instead of overwhelming.

Scoring Engine

Surviving findings are weighted by severity and density to produce your 0–100 Vouch Score. A single critical finding (an exposed key, an unauthenticated admin endpoint) hits the score hard; a stack of low-severity issues causes a gradual decline. See Vouch Score.

Auto-Fix Generation

For supported vulnerability types, the pipeline generates a drop-in code fix — contextualized to your framework and ready to apply through a one-click pull request. Fixes go through a propose-critique-refine loop so the patch is minimal and doesn’t introduce new bugs. See Auto-Fix.

Dashboard & Notifications

Results update your live Vouch Badge and, if configured, trigger Slack or webhook notifications — or arrive as an HMAC-signed callback to your own endpoint if you triggered the scan via the public API.

Why this stack

The pattern-based scanners catch the “known unknowns” — the CWE-class bugs anyone with the right ruleset would find. The AI Hunter catches the “unknown unknowns” — the logic flaws that don’t pattern-match to anything. And the Validator keeps the signal-to-noise ratio sane.

That trio is the actual moat. Running Semgrep alone gives you a flood of alerts most solo devs never triage. Running an LLM alone hallucinates findings that erode trust within a week. Doing both in sequence, with cross-validation, is what makes the output worth acting on.

Next Steps

Last updated on
Quick StartVouch Score