SecureHup AI on GitHub

Reviews. Comments.
In every PR.

SecureHup AI joins your repo as a reviewer — drops inline comments on the exact lines that introduce risk, posts a per-PR security summary, and offers one-click "Apply suggestion" patches engineers can merge without leaving the diff view.

Run a free test Talk to SecureHup

Live PR Review

Reviews that land in the diff.
Not in a separate dashboard.

A real PR. The bot reviews the diff, posts an inline comment on the offending line, drops a one-click suggestion, and writes the security summary your reviewers actually read.

artes-solution / api-gateway · #1284

Add tenant-scoped order lookup endpoint

Open feat/tenant-scope → main

Conversation 12

Commits 3

Files changed 2

Checks 5 passing

src/routes/orders.ts +6 -1

Viewed

42  router.get('/orders/:id', requireAuth, async (req, res) => {
-  const order = await db.orders.findById(req.params.id);+  const order = await db.orders.findOne({ id: req.params.id });44
45  if (!order) return res.sendStatus(404);
46  res.json(order);
47  });

SecureHup AI is reviewing…

securehup-ai bot requested changes on orders.ts · just now

The new lookup still trusts req.params.id without scoping to the caller's tenant. Reproduced as IDOR (CRITICAL) — user tenant-A can read tenant-B's orders by guessing the ID. Replayed against the PR preview at 21:04 UTC.

Suggested change · src/routes/orders.ts

-  const order = await db.orders.findOne({ id: req.params.id });+  const order = await db.orders.findOne({+    id: req.params.id,+    tenantId: req.user.tenantId,+  });

posting summary…

SecureHup security summary PR #1284 · 47s

Critical

1 verified

High

0 —

Endpoints

3 tested

Run time

2.1m diff-aware

IDOR on GET /api/v1/orders/:id — reproduced cross-tenant read.
Auth middleware unchanged — JWT validation still passes.
No new dependencies, no secret leakage in the diff.

Merge blocked by SecureHup

1 verified critical finding must be resolved before merge.

Animated demo — every comment, suggestion and gate decision comes from agents that re-test the diff on a real preview environment.

A reviewer that already knows your stack.

The bot installs as a GitHub App, reviews every pull request automatically, and writes feedback in the same UI your engineers already use to ship code.

Inline review comments

Comments land on the exact lines that introduce risk — no separate dashboard, no security ticket queue, no triage UI to learn.

Per-PR security summary

A single top-level summary tells reviewers what changed from a security perspective, what was tested, and what still needs a human look.

Apply suggestion, merge, done

Suggested patches use GitHub's native "commit suggestion" UI — accept, push, and the fix is in the branch without ever leaving the diff.

Signal, not noise.

Linters and SAST scanners drown PRs in dozens of "informational" findings. SecureHup AI only comments when something genuinely changes the security posture of your code.

Diff-aware reasoning

Reviews only what the PR changed and the call sites it touches — no comments on legacy code reviewers can't action in this PR anyway.

Verified before it speaks

The bot only blocks a merge after an autonomous agent has actually reproduced the exploit on the PR's preview environment.

Talks to reviewers like a human

Reply to a comment with "false positive" or "explain" and the bot answers in-thread — no JIRA round-trip, no separate triage tool.

Catch it in review. Not in production.