Trust & Security

Built to be trusted with your code

How SwarmFlow finds vulnerabilities, how accurate it is, and exactly how we handle your source code.

Accuracy benchmark

Measured on a labeled set of 16 samples — 10 real, well-formed secrets across 8 types and 6 decoys (env-var references, placeholders, interpolated strings, localhost). Reproducible and open-source in our repo.

100%
Secret recall
(10/10 caught)
0
False positives
(6/6 decoys ignored)
30s
Typical scan
time

Scope: this benchmark covers the deterministic secret scanner. AI semantic detection (injection, SSRF, weak crypto, etc.) runs on top and is continually evaluated. We publish only measured numbers — never estimates.

Three detection layers

Broad coverage

AI semantic analysis

Reads and understands code intent to find logic and context-dependent vulnerabilities that pattern matching misses.

100% recall in our benchmark

Deterministic secret scanner

A fast, local, regex engine that catches hardcoded credentials with high confidence — independent of the AI, so a leaked key is never missed.

Supply chain

Dependency scanning (OSV)

Checks your dependencies against the OSV database of known CVEs.

What we detect

SQL injectionCross-site scripting (XSS)Command injectionSSRFHardcoded secrets & API keysWeak / broken cryptographyInsecure deserializationPath traversalAuth & access-control flawsDependency CVEs (OSV)OWASP Top 10

How we handle your code

🔒 We never modify your code without consent

Connecting a repo grants the GitHub scope needed to scan it and, when you ask, open fix PRs or issues. We never change your code unless you explicitly approve a fix pull request.

🧠 Processed in-memory

Code is fetched per-scan, analyzed in memory, and not persisted. We store findings (file path, line, description) — not your source files.

✅ Fixes you review

Every fix is opened as a pull request for you to review and merge. SwarmFlow never pushes to your main branch.

🏢 Tenant isolation

Every workspace is isolated — your findings and repos are scoped to your account and never visible to others.

🔑 Encrypted tokens

Integration tokens are encrypted at rest and used only to access the resources you connect.

🛡️ Hardened API

Rate limiting, CSRF protection, signed webhooks, and input validation across the platform.

SwarmFlow is in active beta. We're transparent about what we measure and what's still maturing — and we publish only real numbers. SOC 2 and SSO/SAML are on our roadmap for enterprise.

Scan your repo free