How Stateward works

How analysis works

Stateward does not just scan the diff. It builds a knowledge base of your whole codebase, then runs every change through a five-stage pipeline. This is what lets it catch cross-file and merge-induced flaws a diff-only scanner is blind to.

1. 01

   Understand

   Stateward builds a knowledge base of the repository: the call graph, module boundaries, trust boundaries and where untrusted input enters.

2. 02

   Classify

   Each change is classified by what it touches — auth, data access, dependencies, infrastructure — so the right checks run.

3. 03

   Hunt

   Multiple agents attack the change in parallel from different angles, tracing tainted data and probing for each relevant weakness class.

4. 04

   Validate

   Candidate findings are confirmed by convergence and refutation — a finding only survives if it holds up to attempts to disprove it.

5. 05

   Verdict

   You get a verdict with severity, an explanation of why it is exploitable, a reproduction where possible, and a suggested fix.

Languages & ecosystems

Coverage spans mainstream languages, package ecosystems and infrastructure formats, and is expanding during beta.

What it finds

• Code vulnerabilities (SAST)

  Injection, broken access control, unsafe deserialization, SSRF, insecure crypto and more — reasoned over the whole codebase, not a single diff.

• Dependency & supply-chain risk (SCA)

  Known CVEs matched to the exact installed version, with reachability, plus typosquatting and maintainer-risk signals.

• Secrets

  API keys, tokens and private keys caught at the commit, before they reach a shared branch.

• AI-generated-code issues

  Insecure defaults, over-permissive configs and hallucinated/unsafe APIs that generic scanners do not target.

• Infrastructure & CI

  Misconfigured Terraform, Dockerfiles, Kubernetes and CI workflows.

Every finding is tagged with severity and mapped to OWASP, CWE and the compliance frameworks you care about — see Compliance.

Fixes & suggestions

Findings arrive inline on the pull request, in context. Where the fix is mechanical — a parameterized query, a pinned dependency, a tightened config — Stateward proposes a concrete change you apply with one click. It explains why the original is exploitable, so the fix is a learning moment, not a black box. Stateward never pushes or merges; you stay in control.

False positives & tuning

High false-positive rates are the main reason teams mute security tools. Stateward keeps noise down structurally: it validates each finding against the real call graph and dependency reachability, and adversarially tries to refute it before reporting. Findings are deduplicated across engines and scoped to your diff. You can dismiss a finding or mark a pattern as accepted, and Stateward respects that on future reviews.

Data handling & security

• Read-only & ephemeral. Stateward reads code to analyse it and comments back. It never pushes, never merges, and does not store your secrets.
• EU-sovereign. Code and security data are hosted in the EU on Citadea, supporting NIS2, DORA and EU Cyber Resilience Act requirements.
• Your models, optionally. Bring your own or self-hosted models on enterprise plans, so sensitive code never leaves infrastructure you control.