Free to start. Scales with your team.
Developer-led and freemium. Free for individuals and open source, paid per active repository for teams, custom for regulated enterprises.
Free
€0
forever, no card required
Best for: Solo developers & open source
- Inline PR security review (SAST)
- Dependency & secret scanning
- AI-generated-code audit
- One-click suggested fixes
- Unlimited public repositories
Team
Most popularPer repo
per active private repository / month
Best for: Startups & scaling engineering teams
- Everything in Free
- Private repositories
- Compliance mapping & reports
- Team policies & severity guardrails
- Slack, Jira & Linear integrations
- Priority support
Enterprise
Custom
for regulated organisations
Best for: Regulated & sovereignty-bound orgs
- Everything in Team
- SSO & advanced RBAC
- Audit-ready compliance reporting
- Self-hosted on private Citadea
- Dedicated support & SLAs
No credit card to start · Read-only access · Cancel anytime
Prices shown are indicative; per-repository and enterprise pricing is confirmed at sign-up.
Everything you’d ask before connecting a repo
How is Stateward different from Snyk or Aikido?
Stateward unifies SAST, dependency auditing, secret detection, AI-generated-code review and compliance mapping into one autonomous layer — then triages and deduplicates across all of them so you get fixes, not a wall of red. It is built from day one for AI-written code and hosted on sovereign EU infrastructure.
Does it actually understand AI-generated code?
Yes — that is the category it was built for. Stateward targets the failure patterns specific to Copilot-, Cursor- and Claude-written code: insecure defaults, over-permissive configs, hallucinated or typosquatted dependencies, and prompt-injection surfaces no legacy scanner was trained to catch.
Will it spam my pull requests with noise?
No. Findings are scoped to the lines you changed, deduplicated across every engine, ranked by real exploitability, and re-pushes update the existing review instead of posting duplicates. You set the minimum severity and ignore paths per repo.
Can Stateward see or change my code?
It has read-only access, granted through your provider’s OAuth — it can comment but never push, merge or alter code. We never store your credentials, and code is analysed in an isolated, short-lived environment that is discarded once the review is posted.
Where is my code hosted and processed?
On Citadea, our sovereign European infrastructure — your code, findings and security data stay inside EU jurisdiction. Enterprise teams can self-host Stateward entirely on private Citadea infrastructure.
What does it cost?
Free for individuals and open source, paid per active repository for teams, and custom for regulated enterprises that need SSO, audit-ready reporting and self-hosting. No credit card to start.
What does it take to get started?
Install the app on GitHub, GitLab or Bitbucket and grant read-only access to the repos you choose. There is no pipeline to rebuild — Stateward reviews your next pull request automatically.
Does it replace my security team?
It gives teams that could never staff an AppSec function the coverage of one, and it makes existing security teams faster by handling the repetitive review, triage and evidence work. It supports human judgement — it does not replace it.