Secure Every Git Diff Before It Ships

Enterprise-grade security analysis for Git workflows. Changed-context review, webhook integrity checks, cloud/IAM guardrails, and AI security rules with complete network isolation.

macOS / Linux

GitHub

~/project/mavetis

$ mavetis review --staged --with-context

Mode: staged+context

Files: 9 changed + 4 context

Findings: 16 (critical=5 high=11 medium=0 low=0)

[CRITICAL] Webhook handler without signature verification

Rule: webhook.signature.missing

File: src/api/webhook.ts:6

Confidence: medium

Snippet: app.post("/webhook", handler)

[HIGH] Webhook signature verification after parsed body

Rule: webhook.rawbody.missing

File: src/api/webhook.ts:7

Confidence: medium

Context: src/api/signing.ts reviewed

0 Third-Party Dependencies Pure Go standard library only

0 Network Requests Complete offline operation

0 Telemetry No tracking or data collection

3 Output Formats Text, JSON, and SARIF

Delivered Capability Layers

Enterprise-grade security analysis for Git-based development workflows

Regression Core

Security downgrade detection, config drift, and observability leak detection across Git diffs.

Changed Context Review

Optional --with-context import discovery adds bounded local dependency files to staged, branch, and CI reviews.

Rule Explanations

Explain builtin, custom YAML, and synthetic semantic rules with deterministic text output and safe examples.

Air-Gapped Operation

Complete offline analysis with zero external network dependencies and zero telemetry.

Policy Layer

Rule profiles (auth, fintech, backend, frontend) and trust zones for risk-weighted review.

Boundary Enforcement

Diff-level architectural boundary checks for privileged modules and admin surfaces.

Supply-Chain Trust

Dependency lifecycle correlation, registry trust drift, and lockfile consistency checks.

Webhook Integrity

Detect missing signature verification, replay windows, and raw-body handling in provider webhook endpoints.

Cloud & IAM Guardrails

Catch public object storage, long-lived presigned URLs, wildcard IAM policies, and public SSH ingress.

AI Security Rules

Flag secret material in prompts, user-controlled system prompts, and unvalidated model-selected tool execution.

Flexible Rule Engine

Custom YAML-based rules with typed policies, contextual scoping, and repository snapshots.

SARIF Integration

Native JSON and SARIF output formats for seamless CI/CD pipeline integration.

Git Hook Integration

Automated pre-commit and pre-push scanning with configurable fail thresholds.

OWASP / ASVS

Coverage across secrets, auth, injection, cryptography, and supply chain security.

Security Architecture

No third-party dependencies, no cloud services, no accounts, no AI components.

Repository Snapshots

Opt-in snapshot baselines from existing security-sensitive code anchors.

Baseline Suppressions

Capture known findings and suppress legacy noise so teams focus on newly introduced issues.

Init Wizard

Interactive project initialization with automatic .mavetis.yaml generation and sensible defaults.

Deterministic Execution

Pure Go standard library implementation ensuring consistent, reproducible results.

Review Command

Deep security analysis on every code change

Command Examples

$ mavetis review --staged --path 'src/**' --profile auth --with-context --explain

Review staged authentication changes with changed-context imports and profile-aware explanations

Flags Reference

--staged Review staged Git changes

--base <branch> Compare against base branch

--path <glob> Restrict review scope with glob pattern

--profile <name> Apply rule profile (auth, fintech, backend, frontend)

--with-context Add bounded changed-file import context for Git diff reviews

--changed-with-context Alias for changed-context review

rules explain --id Explain a rule by identifier

explain rule Alias for rule explanation

--explain Verbose finding explanations

--with-suggested Include bounded local import suggestions

--format <fmt> Output format (text, json, sarif)

--severity <level> Filter by severity (critical, high, medium, low)

--fail-on <level> Set blocking threshold for exit code 1

--config <path> Custom config file path (.mavetis.yaml)

--baseline <path> Suppress known findings from baseline file

--stdin-targets Read file targets from stdin

Regression Core

Security weakening treated as a first-class signal in Git diffs

Security Downgrades

SameSite policy weakening
Cookie and token lifetime growth
bcrypt cost reduction
Rate-limit threshold increases
Timeout expansion
MFA requirement weakening

Config Drift

Debug mode activation
Non-production environment fallbacks
Wildcard CORS and weakened CSP
Legacy TLS configuration
Privileged container settings
Architectural boundary violations
HSTS / X-Frame / X-Content-Type header removal

Observability Leaks

Request body logging
Authorization material leakage
PII in telemetry
Raw error serialization
Sensitive tracing attributes
Security-intent regressions
Health data in logs and observability

Detection Capabilities

Coverage across secrets, auth, injection, and supply chain security

Secrets & Cryptography

Cloud provider credentials (AWS, Stripe, Supabase)
Config file secrets (dotenv, JWT)
Private key and high-entropy patterns
Weak randomness, hashing, and ciphers
IV/nonce misuse and reuse
Insecure algorithm selection
Weak password hashing (MD5, SHA1, SHA256)
Plaintext password comparison
RSA key size under 2048
PII and sensitive data exposure

Access Control & Sessions

Authentication bypass vulnerabilities
Deleted or disabled auth middleware
Insecure token storage
Session fixation and invalidation
IDOR and ownership verification gaps
JWT decode-without-verify flaws
Weak hash and plaintext credential detection
Tenant-scoped lookup gaps
Password reset token logging

Webhooks & Replay

Webhook handlers without signature verification
Webhook verification without timestamp or replay-window checks
JSON parsing before raw-body signature validation

Injection & Input

SSRF, SQL injection, command injection
XSS and unsafe deserialization
Path traversal and Zip Slip
Server-Side Template Injection (SSTI)
Dynamic code evaluation (eval)
Data flow from request to sink
ReDoS via user-controlled regex
XML XXE injection
Open redirect vulnerabilities
Local/Remote File Inclusion (LFI/RFI)

Supply Chain

Remote and git-based dependencies
Version pinning and floating versions
Typosquatting attack patterns
Lockfile integrity violations
Install-time script execution
Mutable GitHub Action references

Cloud & AI Guardrails

Public object storage read/write exposure
Long-lived presigned storage URLs
Wildcard IAM policies and public SSH ingress
Secrets added to AI prompts or model messages
User input assigned to privileged system prompts
Unvalidated AI tool execution from model output

Configuration Security

Missing HSTS header configuration
Missing X-Frame-Options header
Missing X-Content-Type-Options header
Security header regressions in config

Business Logic

Mass assignment vulnerabilities
Price tampering in requests
Go unsafe.Pointer memory violations

Policy Layer & Boundary Enforcement

Policy-aware diff review with typed rule primitives

Rule Profiles

auth — authentication, tokens, sessions, crypto
fintech — full default surface for high-assurance
backend — server-side, supply-chain, config, network
frontend — browser auth, XSS, CORS, privacy

Trust Zones

zones.critical — two severity levels up to critical
zones.restricted — one severity level, fail-on=medium
Automatic severity uplift in sensitive paths
Stricter blocking thresholds inside protected dirs

Boundary Enforcement

Public routes importing internal admin code
UI layers importing auth or security helpers
Public surfaces reaching privileged services
Diff-bounded evaluation on changed hunks only

Typed Rule DSL

forbiddenImport — block forbidden module imports
requiredMiddleware — enforce middleware on routes
configKeyConstraint — constrain deployable config
pathBoundary — source-to-target trust boundaries
vulnerable-example and safe-example documentation fields

Supply-Chain Trust

Lifecycle and dependency correlation
Registry trust drift detection
Private-to-public registry move alerts
Package allowlist and denylist enforcement
Lockfile consistency checks
Manifest-without-lockfile drift detection

Security Snapshots

Generate opt-in snapshot baselines from existing security-sensitive code anchors. Enforced only when a changed hunk weakens the captured baseline.

$ mavetis rules snapshot

snapshot:

path: .mavetis-snapshots.yaml

Baseline Suppressions

Record known findings and focus only on newly introduced issues. Ideal for legacy codebases migrating to continuous security review.

$ mavetis baseline --create --base main

baseline:

- rule: inject.sql.raw

path: src/api/handler.go

line: 45

Exit Codes

0

Clean No blocking findings or help output

1

Blocked Findings matched --fail-on threshold

2

Error Usage or runtime error

Git Hook Integration

mavetis hooks install

pre-commit:

command: mavetis review --staged --fail-on high

pre-push:

command: mavetis review --base <default-branch> --fail-on high

existing hooks:

backed up as .bak before modification

Rule Explanation Layer

Deterministic rule intelligence for humans and CI logs

Explain Commands

Primary rule id

$ mavetis rules explain --id webhook.signature.missing

Explain any builtin, custom, or synthetic semantic rule by identifier.

Alias rule id

$ mavetis explain rule webhook.signature.missing

Compatibility alias for the same deterministic explanation output.

Text Output Shape

rule explanation

id: webhook.signature.missing

title: Webhook handler without signature verification

severity: critical

category: webhook

confidence: medium

standards: OWASP-ASVS-V4.1, OWASP-ASVS-V6.2

vulnerable-example: app.post('/webhook', handler)

safe-example: verify signature against raw body first

Builtin Rules

Core catalog entries resolve through the central rule explanation layer.

Custom YAML Rules

Custom rule files can expose vulnerable-example and safe-example guidance.

Synthetic Semantic Rules

Semantic metadata now lives in the rule layer and is shared by the engine.

Why Mavetis

Local-first vs cloud-based security scanners

Capability

Mavetis

Cloud Scanners

Air-Gapped Operation

Zero Telemetry

No Third-Party Dependencies

Regression Detection

Changed-Context Import Discovery

Deterministic Rule Explanations

Webhook / AI / Cloud Rule Families

Policy Profiles (auth, fintech, backend)

Trust Zones (critical, restricted)

Typed Custom Rules (YAML)

Supply-Chain Trust Analysis

Repository Snapshots

Baseline Suppressions

Init Wizard

SARIF / JSON Output

Technical Specifications

Pure Go standard library implementation

Analysis Engine

Regression detection
Changed-context import discovery
Centralized rule explanation
Policy-aware review
Boundary enforcement
Supply-chain trust analysis

Detection Areas

Secrets & cryptography
Access control & sessions
Webhook integrity
Cloud and IAM guardrails
AI prompt and tool safety
Injection & input validation
Supply chain security
Business logic flaws
Configuration header regressions
File inclusion attacks
Go semantic analysis

Rule Profiles

auth — authentication & tokens
fintech — high-assurance review
backend — server-side security
frontend — browser-facing auth

Output Formats

Interactive text (ANSI)
Deterministic explain text
Machine-readable JSON
SARIF 2.1.0
Exit codes for CI/CD

How It Works

Security regression blocked before merge

Project initialized mavetis init

Developer stages changes git add .

Mavetis scans locally mavetis review --staged --with-context

Rules explained mavetis rules explain --id <rule.id>

Baseline suppresses known mavetis baseline --create --base main

Findings analyzed Context, profile & zone rules applied

Regressions blocked Pre-commit hook enforced

Start Securing Your Codebase

No account required. No data leaves your machine. Pure Go. Zero dependencies.

macOS / Linux

GitHub