Hey HN! Solo developer here. I spent 4 months building CodeSlick - a security scanner for GitHub PRs.
What's different about v1.3 (launched today):
1. One command runs security AND tests
`cs scan --verify` blocks commits only if BOTH pass
Catches "security passed, prod broke" situations
2. Configurable pass/fail gates
Not all-or-nothing: "block CRITICAL only" or "max 10 vulnerabilities"
Teams control what blocks their PRs (not the tool)
3. Auto-creates GitHub issues for vulnerabilities
Security work becomes visible (trackable like features)
No more "found vulnerabilities, forgot to fix"
Technical details:
- 294 security checks (SQL injection, XSS, SSRF, AI hallucinations)
- 5 languages: JavaScript, TypeScript, Python, Java, Go
- AST-based static analysis (Acorn for JS/TS, custom parsers for others)
- Auto-detects test frameworks (npm, pytest, go test, maven, gradle)
- <3s per file analysis time
- OWASP 2025 compliant (95% coverage)
What I'm proud of:
- First scanner to detect AI-generated code vulnerabilities
- Thresholds that actually fit how teams work (not all-or-nothing)
- CLI + GitHub App + WebTool (3 surfaces, same engine)
What still needs work:
- No C/C++/Rust support yet
- GitHub only (no GitLab/Bitbucket)
- Solo founder (just me, scaling support is hard)
What's different about v1.3 (launched today):
1. One command runs security AND tests `cs scan --verify` blocks commits only if BOTH pass Catches "security passed, prod broke" situations
2. Configurable pass/fail gates Not all-or-nothing: "block CRITICAL only" or "max 10 vulnerabilities" Teams control what blocks their PRs (not the tool)
3. Auto-creates GitHub issues for vulnerabilities Security work becomes visible (trackable like features) No more "found vulnerabilities, forgot to fix"
Technical details: - 294 security checks (SQL injection, XSS, SSRF, AI hallucinations) - 5 languages: JavaScript, TypeScript, Python, Java, Go - AST-based static analysis (Acorn for JS/TS, custom parsers for others) - Auto-detects test frameworks (npm, pytest, go test, maven, gradle) - <3s per file analysis time - OWASP 2025 compliant (95% coverage)
What I'm proud of: - First scanner to detect AI-generated code vulnerabilities - Thresholds that actually fit how teams work (not all-or-nothing) - CLI + GitHub App + WebTool (3 surfaces, same engine)
What still needs work: - No C/C++/Rust support yet - GitHub only (no GitLab/Bitbucket) - Solo founder (just me, scaling support is hard)
Try it: - CLI: npx codeslick-cli@latest init - GitHub App: https://github.com/settings/apps/codeslick-security-scanner - Blog post: https://codeslick.dev/blog/security-quality-developer-workfl...
Happy to answer questions about the technical implementation, design decisions, or trade-offs I made.
Built with: Next.js 15, TypeScript, Acorn, Neon Postgres, Vercel