Aegis connects to your repo and your AWS read-only role. In 30 minutes you get an attack-surface map, a ranked list of exploit chains (not a CVE dump), and mergeable fixes your team can ship.
Six stages. Deterministic analyzers produce the ground truth; the reasoner only sits on top. No shallow CVE dumps, no AI-invented findings.
Install the Aegis GitHub App (or upload a zip). Paste a read-only IAM role ARN. We generate a random external ID and the exact trust policy — scoped with aws:PrincipalTag/tenant_id.
Routes, Lambdas, IAM roles, databases, trust boundaries, data classes. Not a file list — a real asset graph that makes the rest of the analysis context-aware.
Semgrep + 40 custom AppSec rules, Checkov, osv-scanner, gitleaks, Prowler subset — all running in sandboxed Fargate workers with no outbound internet.
Claude reasons over the findings + graph with strict prompt-injection hardening. Each chain carries evidence refs — no claim without substantiation.
Per-category fixers emit draft PRs with code/IaC/IAM diffs, compensating controls, regression notes, and a validation checklist. Never auto-merged.
Merge the fix → the exact same rule reruns against the exact same file. Findings transition to fixed, regressed, or still_open — with audit trail.
Free scan, no credit card. Install the GitHub App, connect an optional AWS read-only role, and get your first report in under 30 minutes.
Scan your app — free