Documentation

Everything you need to know about CodeArmor AI

What CodeArmor Does

CodeArmor AI is a security analysis tool that helps developers identify vulnerabilities in their code and GitHub Pull Requests. It provides:

  • Security Regression Guard - Detects when a PR reintroduces a previously fixed vulnerability
  • PR Risk Delta - Calculates security risk scores for Pull Requests
  • Assumption-Aware Analysis - Transparent vulnerability detection with clear certainty levels

What CodeArmor Does NOT Do

  • Does NOT guarantee 100% security - No automated tool can catch every vulnerability
  • Does NOT replace manual code review - Human expertise is still essential
  • Does NOT execute or modify your code - Analysis is read-only
  • Does NOT store your code - Code is analyzed in real-time and not persisted
  • Does NOT have access to private repos - Unless you explicitly grant OAuth permissions

Understanding the Security Score

The Security Score is a number from 0 to 100 that represents the overall security health of your code:

🟢

80-100: Secure

No major vulnerabilities detected

🟡

50-79: Needs Attention

Some potential risks or medium-severity issues

🔴

0-49: Insecure

Definite vulnerabilities or high-severity risks detected

Definite vs Potential

Every security finding is labeled with a Certainty level:

Definite Vulnerability

A finding is marked as "Definite" only when:

  • User input is clearly used unsafely (e.g., direct SQL interpolation, eval())
  • Authentication is clearly missing on sensitive endpoints
  • Secrets are clearly hardcoded in the code

Example: db.query("SELECT * FROM users WHERE id = " + userId)

Potential Risk (Context Required)

A finding is marked as "Potential" when:

  • We must make assumptions about variable origins or data flow
  • Context about validation elsewhere is missing
  • There's uncertainty about framework protections

Example: db.query(buildQuery(userId))

Limitations

Technical Limitations

  • AI-based analysis: Results depend on the AI model's training and may not be perfect
  • Context limitations: Cannot analyze code outside the provided snippet or PR
  • Framework-specific: May not understand all framework-specific security features
  • False positives: Conservative approach may flag safe code as potential risks
  • False negatives: May miss vulnerabilities that require deep contextual understanding

Scope Limitations

  • No runtime analysis: Cannot detect vulnerabilities that only appear at runtime
  • No dependency scanning: Does not analyze third-party dependencies
  • No infrastructure scanning: Does not check server configurations or cloud settings
  • No compliance checking: Does not verify regulatory compliance (GDPR, HIPAA, etc.)

Disclaimer

CodeArmor AI is provided "as is" without warranty of any kind. While we strive for accuracy, we cannot guarantee that all vulnerabilities will be detected or that all findings are accurate.

You are responsible for the security of your code.

Use CodeArmor as a helpful assistant, not a replacement for security expertise.