[ 200 OK ][ ANALYZE ][ .SARIF ][ FIX-PR ]
getdebug

about

Every team should test before they ship.

Bugs and security holes don't ship because teams don't care. They ship because finding them is slow and fixing them is manual — so the check gets skipped under deadline. getdebug exists to make that check fast enough that it never gets skipped.

What getdebug does

Connect a repository — GitHub, GitLab, or a local directory through the CLI. getdebug parses it, analyzes it for bugs and security vulnerabilities, and surfaces what it finds with a severity, a category, and an OWASP or CWE reference. Then it does the part most tools skip: it writes the fix. A validated patch, on its own branch, opened as a pull request for you to review.

A real security pass

Three detectors run on every analysis — committed-secret scanning, dependency CVE auditing, and SAST via an LLM — plus a set of detectors tuned for AI-app-specific flaws like prompt injection and leaked model keys.

Fixes, not just findings

Most tools hand you a list. getdebug writes the patch — a real unified diff, validated, attached to the finding, opened as a PR. The findings that can't be safely auto-fixed still get a clear explanation.

Posture over time

getdebug tracks every finding across runs — when it first appeared, how long it stayed open, when it was resolved — so you see whether your codebase is getting safer, not just a snapshot.

The rules we hold to

Never push to main
Every fix lands on a getdebug/fix-<id> branch as a pull request. You review it, you merge it. Nothing reaches your default branch without a human.
Validate before applying
A generated patch has to apply cleanly, leave the file parseable, typecheck, and not break tests before getdebug will open the PR. A patch that fails validation is reported, not applied.
Surface, don't silence
When the judge model is unavailable, getdebug emits a low-confidence finding for review — it never quietly drops a candidate. Committed secrets can't be dismissed by an inline comment; the only fix is rotation.
Some fixes stay explanation-only
Security-sensitive categories — SQL injection, SSRF, broken access control — are explained, not auto-patched, unless you explicitly opt in. A wrong fix to security code is worse than no fix.

Find the bug before your users do.

Connect a repo and run your first analysis in minutes. No card for the trial.

Get startedSee pricing