HomeProductsDevSecOps Agent
BETA — GITHUB APP

DevSecOps Agent

GITHUB APP · AUTOMATED SECURITY

A GitHub App that scans every pull request for CVEs, posts detailed reports as PR comments, and blocks merges when critical vulnerabilities are introduced. Zero friction, zero missed findings.

PR auto-scanCVE commentsMerge gatesMulti-repo dashboard
Available now — beta
Core PR scanning and CVE comment posting are built. Merge gating and the multi-repo dashboard are in progress.
github.com/org/repo/pull/42
feat: upgrade dependencies for Q2
featuredependencies
quantashield-botjust now
⚠ 3 vulnerabilities found in this PR
CRITICALCVE-2024-21626runc
HIGHCVE-2023-44487golang.org/net
MEDIUMCVE-2024-34069werkzeug
Merge blocked — resolve CRITICAL finding first
Features

Automated security on every pull request

Automatic PR Scanning
Every pull request is scanned the moment it opens. QuantaShield fetches the dependency manifest, queries OSV.dev for CVEs across all 8 ecosystems, and posts a structured comment within seconds.
CVE Comment on PR
A detailed comment is posted directly on the pull request listing each CVE by severity, affected package, CVSS score, and the exact upgrade command to resolve it.
Merge Gates
Block merges automatically when a PR introduces a CRITICAL or HIGH severity vulnerability. Thresholds are configurable per repository — zero tolerance or a CVSS cutoff of your choice.
Multi-Repo Dashboard
A single dashboard showing the vulnerability posture of every connected repository. Filter by severity, ecosystem, or team. Track improvement over time.
Webhook Events
Every scan result fires a webhook payload your CI pipeline can consume — add custom gates, trigger notification channels, or feed into your SIEM.
SBOM on Every Build
A CycloneDX SBOM is generated on every scan and stored as a PR artefact. Always-current bill of materials for compliance, vendor audits, and SLSA provenance.
How it works

Install once. Secure every PR, forever.

01
Install the GitHub App
Install QuantaShield DevSecOps from the GitHub Marketplace. Select which repositories or organisations to connect — no credentials to manage.
02
PR opened → scan triggered
A webhook fires the moment a PR is opened or a new commit is pushed. The scan worker fetches the lock file and queries OSV.dev for all known vulnerabilities.
03
Comment posted automatically
Within seconds, a structured CVE report appears as a PR comment — severity badges, package names, CVSS scores, and upgrade commands.
04
Merge gated on policy
If findings exceed your configured threshold (e.g. any CRITICAL), the required status check is set to 'failed' and GitHub blocks the merge until the vulnerability is resolved.

Ready to automate your security posture?

Sign in to the web platform today and get early access when the GitHub App launches.