CodeTitanIssue 001/Pre-launch edition
BetaFree on your runnerNo signup
§ 01Thesis

The codebase
immune system.

sanity check that catches the security patterns your eslint config misses. Pairs with human review for behavioral defects — we don't claim to find race conditions or business-logic bugs. Free — runs on your own runner, no signup.

Try it now See a live PR

Running live on GitHub

Fig 01·Observerlive

Observer · the scanner is always looking

§ 02What it already does
266rules

JS / TS detection rules

3passes

Source → sink taint analysis

1SARIF

GitHub Code Scanning native

1YAML

GitHub Action setup

Fig 03·Measured against 5 production-grade OSS+SaaS repos

We ran CodeTitan at pinned upstream SHAs on Hono, Drizzle, Cal.com, Plane, and Documenso. Every finding cites a pinned SHA — clone the repo at that SHA and verify it yourself. Methodology and per-finding triage available on request.

7of 7

Cal.com HIGH/CRITICAL findings confirmed true-positive at a pinned SHA (~250k LOC SaaS)

9of 9

In-scope findings across all 5 repos confirmed true-positive

0lost

True-positive bugs lost to false-positive fixes (across Bundles 1-7)

Try the CLI·npx @noalia/codetitan@latest analyze . --no-ai·Apache-2.0 · methodology on request

§ 03Evidence — running live on GitHub

These aren't mockups. Click any letter above — each opens on a real pull request that CodeTitan reviewed autonomously on GitHub.

Fig 02·The PR comment CodeTitan posts
CT
codetitan-botcommented · 2m ago · posted from workflow
Risk score73 / 100

3 findings in this diff

  • Critical1
  • High1
  • Medium1
Gatefail-on-severity: HIGH
CriticalTAINT_SQL_INJECTION

Untrusted request parameter reaches a raw SQL query without parameterization.

api/users/search.ts · line 42
42 │ const q = `SELECT * FROM users WHERE email = '${email}'`;
43 │ await db.query(q);

Data-flow traced across 3 files · source: req.query.email

Representative example·rendered from the real comment payload CodeTitan posts

§ 04How it works
  1. Step 01·of 03

    Add the Action

    Paste one workflow file into your repo. No npm install. No config. No build step. The next PR is already reviewed.

  2. Step 02·of 03

    Every PR scored

    CodeTitan runs the full rule set against the diff, flags AI-drift, and posts a Risk Score with inline annotations on the exact lines that matter.

  3. Step 03·of 03

    The profile learns

    Merged PRs, dismissed findings, and applied fixes are recorded into a per-repo profile, and that context is applied to future reviews. Whether it meaningfully changes outcomes over a month is what the beta tests.

§ 05Install — one YAML file · free
.github / workflows / codetitan.ymlYAML · 17 lines
name: CodeTitan
on: [pull_request]

jobs:
  review:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
      security-events: write
    steps:
      - uses: actions/checkout@v4
        with: { fetch-depth: 0 }
      - uses: Noa-Lia/codetitan-action@v1
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          fail-on-severity: HIGH
§ 06Beta program — the cloud layer

Want the shared
memory on top?

The GitHub Action and the CLI are free — they run on your own runner or your own machine, no quota, and they are not going behind a paywall. The cloud layer on top — shared run history, the team dashboard, shareable report links — is free while the beta runs. Join the waitlist and we'll reach out as access opens.

  • Action and CLI run in your environment — free, no signup, no card.
  • Cloud features free during the beta; Team turns on later at $79/mo flat.
  • Work email preferred — it helps us pace onboarding.

Verify·Human check

Trouble verifying? Email hello@codetitan.dev with your GitHub org.

Email used only to send the invite. We don't analyze any code from the address.
No spam · preview updates only · Privacy