01 / The cover
v0.4.5 shipped · May 15 Try it in the bench ↓

Your scanner found
1,432 issues.
About 127 are real. VERIFIED · v0.4.5

Sarix is a CLI that reads your actual source, follows the data, and decides which alerts can be exploited. The verdict ships as a comment on the PR — with the lines, the trace, and a patch worth committing.

SEE PRICING
0
Alerts/week, typical
0
Real findings after Sarix
~3s
Per verification
FIG. 01 — A single PR. Six alerts. Two real. ~/repo $
SARIX — VERIFY
~/repo · pr/847
0
— Before Sarix
Average false-positive rate, raw SARIF output.
0
— After sarix verify
Same SARIF. Read against the actual code.
— Benchmark on 12 OSS repos · Semgrep + CodeQL · Apr 2026.

From a wall of maybe
to a list of yes.

A typical Semgrep run on a mid-size monorepo. Left: what your scanner gives you. Right: what Sarix gives you back.

alerts.sarif

RAW · 18 alerts

verified.md

SARIX · 6 findings
CVE-2024-1234SQL injection · app.py:142Exploitable
B608Hardcoded creds · settings.py:14Exploitable
B201Flask debug=True · app.py:8Exploitable
B105Weak crypto · token.py:31Fix proposed
B404subprocess shell=True · ops.py:88Fix proposed
CVE-2024-3782SSRF · webhook.py:60Unreachable

12 alerts were dropped because the input was schema-validated, the function wasn't called, or the output was escaped. Sarix shows you why — and writes it down.

What lands on
the pull request.

Not a dashboard. Not an email digest. A single comment on the PR — with the verdict, the trace, the patch.

S
sarix[bot] BOT commented just now · pr/847 · feat/payment-webhook
CVE-2024-1234 — Exploitable
EXPLOITABLE CVSS 8.6 · HIGH app.py:142
Reasoning

The handler receives request.json["customer_id"] and concatenates it into a raw SQL string at line 142. There is no schema validation between the request and the query (verified across the call graph). A crafted body reaches the query unmodified.

Source
140 # 🔻 unsanitized customer_id flows straight to SQL 141 def get_customer(req): 142 return db.execute(f"SELECT * FROM customers WHERE id={req.json['customer_id']}")
Suggested patch
141 def get_customer(req): 142 cid = int(req.json['customer_id']) # 🔒 coerce → bind 143 return db.execute("SELECT * FROM customers WHERE id=?", (cid,))

Three commands.
One verdict per alert.

No new dashboard. No agent on your laptop. A CLI that takes SARIF in, reads your code, and emits a verdict that reads like an engineer wrote it.

01

Pipe in your SARIF.

Whatever Semgrep, CodeQL, Bandit, Trivy, or Snyk emits — Sarix reads it. No new format, no plugin, no agent.

semgrep --sarif > alerts.sarif
02

Sarix reads source.

It opens the cited files, traces the data across function boundaries, and reasons about whether each finding is actually reachable on the hot path.

sarix verify alerts.sarif
03

Verdict on the PR.

One comment per finding: exploitable / dismissed / fix proposed. Reasoning inline. Trace attached. You merge or you don't.

.sarix/proof/report.md

Now you drive.
Pick a scanner.

Five real scanners, five SARIF samples taken from production repos. Watch Sarix decide which alerts are signal, which are noise, and which deserve a patch.

Receipts
from engineers.

Unedited. Paraphrased for length. Names changed when asked.

First security tool that doesn't lie to me. It told me B608 was unreachable because the input was schema-validated three frames up. It was right. I closed the issue and got back to work.
Diego R. Staff eng · series-B fintech
3,200-line Python service
Semgrep on our monorepo emits ~1,400 alerts a week. After sarix verify we triage 60. The PR-comment format means I review a finding in 30 seconds without leaving GitHub.
Anya P. AppSec lead · public marketplace
92 services, 8 languages
We replaced two contractors who used to triage Bandit alerts with this CLI. Refund my old SaaS bill.
Karim H. Eng manager · DevTools
Was paying $4k/mo for triage

Pay for verifications.
Not seats.

Cancel from the CLI any time. Every plan ships the same engine — bigger plans just call it more often.

Free
$0/MO
15 verifications / day
GitHub Issues support
Ollama + MiMo 2.5 local
Local proof bundles
SARIF in / Markdown out
No card required
Install free
Ultra Best value
$20$15/MO
1,000 verifications / day
Custom endpoints + self-host
All providers
Audit logs & retention
SAML / SSO
Maintainer in your Slack
Get Ultra

Questions you'd
ask in code review.

Can't find what you're looking for? Email the maintainer.

Free runs entirely on your machine via Ollama — nothing leaves the box. Pro and Ultra can route to hosted providers, but only the specific lines Sarix needs to read for a verdict — never the whole repo. Ultra ships self-hosted endpoints if you'd rather skip third parties entirely.
One alert in a SARIF file, analyzed end-to-end. A typical PR produces 5–30 verifications. A nightly scan on a mid-size monorepo runs 200–500.
No. It replaces the inbox of 1,400 false positives so they can do the actual job — modeling threats, reviewing architecture, owning incidents. Most teams put the maintainer's time back where it belongs.
Anything emitting SARIF 2.1: Semgrep, CodeQL, Bandit, Trivy, Snyk Code, Grype, npm audit (via grype), gosec, brakeman. Tested in CI every night against the latest stable of each.
Every verdict ships with a proof bundle: the lines read, the call graph traced, the assumptions stated, the model used. If you disagree, the bundle tells you exactly where to push back. No black box.

Stop reading.
Start verifying.

Two seconds to install. Three commands to a verdict.

See pricing