Interesting approach, catching vulns at commit time before CI runs saves cycles. The challenge is always false positive rate at that stage and the AI inference time. How fast is the review? I saw the demo video and it seems you cut to the results.
Hi Ahmad! Thank you so much for having a look at the project.
You're right that review time is quite challenging. The DeepSeek model we used needed at least 8-10 seconds to run a full review, which adds too much friction to the development process.
Right now, our approach to this is to give users a configurable timeout option. Within this timeframe, the model will stream the output as it generates, and the tool will print as many findings as it can.
Another option that we're exploring is to have the tool pre-push instead of pre-commit, which might reduce API cost and is way more tolerable than pre-commit.
You also brought up a very interesting point about false positive rate, as we haven't done large-scale testing yet. I will create an issue for this and get the result asap.
Personally, I disable pre-commit hooks because they’re annoying and slow me down. Pre-push hook would make more sense. Secondly, i’d ideally want to use my codex/ claude subs for this, not an api key
I agree, pre-commit is way too annoying. We're working to add a pre-push option and make it the default.
You made a great point about the codex/claude subs. I'll create an issue for this and we'll try to implement it. One challenge that comes to mind is that the output will be more unstable compared to the API so it might be more challenging to parse the findings.
Very interesting ideas. Thanks for trying out the tool!
I am aware of existing tools doing the same thing at the PR level. I wanted to create a tool for commits since it is when the changes enter Git history.
I am also wondering if it makes more sense to have the tool check right before a push instead since that's when the vulnerabilities actually get sent to the Internet
Full disclosure, Ahmad, CEO at Corgea.
Interesting approach, catching vulns at commit time before CI runs saves cycles. The challenge is always false positive rate at that stage and the AI inference time. How fast is the review? I saw the demo video and it seems you cut to the results.
Hi Ahmad! Thank you so much for having a look at the project.
You're right that review time is quite challenging. The DeepSeek model we used needed at least 8-10 seconds to run a full review, which adds too much friction to the development process.
Right now, our approach to this is to give users a configurable timeout option. Within this timeframe, the model will stream the output as it generates, and the tool will print as many findings as it can.
Another option that we're exploring is to have the tool pre-push instead of pre-commit, which might reduce API cost and is way more tolerable than pre-commit.
You also brought up a very interesting point about false positive rate, as we haven't done large-scale testing yet. I will create an issue for this and get the result asap.
Personally, I disable pre-commit hooks because they’re annoying and slow me down. Pre-push hook would make more sense. Secondly, i’d ideally want to use my codex/ claude subs for this, not an api key
I agree, pre-commit is way too annoying. We're working to add a pre-push option and make it the default.
You made a great point about the codex/claude subs. I'll create an issue for this and we'll try to implement it. One challenge that comes to mind is that the output will be more unstable compared to the API so it might be more challenging to parse the findings.
Very interesting ideas. Thanks for trying out the tool!
Vu1nz does something similar but at the PR level
I am aware of existing tools doing the same thing at the PR level. I wanted to create a tool for commits since it is when the changes enter Git history.
I am also wondering if it makes more sense to have the tool check right before a push instead since that's when the vulnerabilities actually get sent to the Internet
The problem for me was contributions I was getting 183 a day and couldn’t figure out what was malware and what was legit so my friend built me vu1nz
[dead]