Documentation

Everything you need to get started with CodeShield.sh.

On this page

Getting Started

1. Connect your GitHub account

Click "Get Started Free" and authorize CodeShield with GitHub OAuth. We request read-only access to your repositories. Your code never leaves GitHub's servers — we fetch file contents via the GitHub API and scan them in memory.

2. Scan a repository

From the dashboard, click "Scan" on any repository. CodeShield will fetch all scannable files (.ts, .js, .py, .go, .java, .rs, and more), excluding node_modules, vendor, and dist directories. Files over 500KB are skipped.

3. Review and fix

Results are grouped by severity (Critical, High, Medium, Low). Each finding shows the vulnerable code, file location, and a suggested fix. On Team plan and above, click "Auto-Fix" to generate a secure replacement with AI.

GitHub Action Setup

Add to your workflow

Create .github/workflows/codeshield.yml in your repository:

name: CodeShield Security Scan
on:
  pull_request:
    types: [opened, synchronize]

permissions:
  contents: read
  pull-requests: write

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: codeshield-ai/scan@v1
        with:
          fail-on-critical: true
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

What it does

The action scans every pull request for vulnerabilities and posts a comment with the results. If critical vulnerabilities are found, the check fails and blocks the merge (configurable).

API Reference

POST /api/scan

Scan a repository for vulnerabilities.

curl -X POST https://codeshield.sh/api/scan \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -d '{
    "owner": "your-org",
    "repo": "your-repo",
    "accessToken": "github_pat_..."
  }'

POST /api/fix

Generate an AI-powered fix for a vulnerability. Requires Team plan or above.

curl -X POST https://codeshield.sh/api/fix \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -d '{
    "vulnerability": {
      "id": "vuln-1",
      "file": "src/auth/crypto.ts",
      "line": 12,
      "severity": "critical",
      "category": "pqc",
      "title": "RSA Key Generation",
      "matchedCode": "generateKeyPair('rsa', ...)",
      "suggestedFix": "Migrate to ML-KEM"
    }
  }'

FAQ

Does CodeShield store my code?

No. We fetch file contents via the GitHub API, scan them in memory, and discard them immediately. Nothing is persisted. Your code never leaves GitHub's infrastructure except transiently during the scan.

What languages are supported?

TypeScript, JavaScript, Python, Go, Java, Rust, Ruby, PHP, C/C++, C#, Kotlin, Swift, Scala, and shell scripts. We scan any text file with a recognized extension.

How accurate is the scanner?

CodeShield uses pattern-based detection (regex) optimized for AI-generated code patterns. This means fast scans with low false positives for common vulnerability patterns. We do not yet support cross-file taint analysis or semantic analysis — those are on the roadmap.

What is Post-Quantum Cryptography (PQC)?

PQC refers to cryptographic algorithms that are resistant to attacks by quantum computers. NIST finalized PQC standards in 2024 (ML-KEM, ML-DSA, SLH-DSA) and will deprecate RSA, ECDSA, and other current algorithms by 2030. CodeShield identifies quantum-vulnerable cryptography in your codebase.