Everything Stateward detects
One layer, every surface. Each detector runs inline on your pull requests, mapped to a CWE, with a suggested fix — and it’s not only vulnerabilities: the deep audit also catches the correctness and safety bugs real humans write. Click any threat to see how it’s caught.
Detectors
| Threat | CWE | Status |
|---|---|---|
| Source map exposure | CWE-540, CWE-200 | ✓ available |
| Logic & correctness bugs real humans write | CWE-682, CWE-190, CWE-193 | deep audit |
| Hardcoded secrets & leaked credentials | CWE-798, CWE-540 | ✓ available |
| Vulnerable & malicious dependencies | CWE-1395, CWE-937 | ✓ available |
| Typosquatting & slopsquatted packages | CWE-1357, CWE-829 | ✓ available |
| Infrastructure-as-code misconfiguration | CWE-16, CWE-732 | ✓ available |
| Insecure container images | CWE-250, CWE-1395 | ✓ available |
| CI/CD pipeline attacks | CWE-94, CWE-829 | ✓ available |
| Copyleft & source-available license risk | CWE-1395 | ✓ available |
| Insecure AI-generated code | CWE-1426 | deep audit |
| Cross-file vulnerabilities a diff scanner can’t see | CWE-829 | deep audit |
Languages
Package ecosystems
Compliance mapping
Where it runs
Inline PR/MR review, check status, and one-click fix suggestions — read-only, EU-hosted on Citadea.
Merge-induced & cross-branch vulnerabilities
Flaws that exist in neither branch alone but appear once they merge. A diff scanner reviews one PR at a time and can’t see them. Stateward’s whole-codebase knowledge base and virtual merge can.
Built to be trusted with your code
Read-only & ephemeral
Stateward can comment, but never pushes, merges or stores your keys.
EU-sovereign hosting
Code and security data stay EU-hosted via Citadea — built for NIS2, DORA and the CRA.
Whole-codebase aware
Reasons over your call graph and trust boundaries, not just the diff.
Stateward is in beta and onboarding design partners. Built by Yggdrasil Digital.