What we protect against
How Stateward protects you
Pick the threat you’re worried about. Each page shows what the risk is, the real incidents it caused, and the exact Stateward detector that catches it — in your pull request, before it ships. And not just attacker-facing vulnerabilities: Stateward catches the correctness and safety bugs careful engineers write too — the honest mistakes that cause outages, not headlines.
CWE-540 · Source disclosureSource map exposureA JavaScript source map (.map) ships your original, unminified source — comments, internal endpoints, logic, sometimes secrets — to anyone who can fetch it or open a published package. Apple’s App Store front-end and Anthropic’s Claude Code both leaked their entire source this way.How we catch it Code quality & safety · Deep auditLogic & correctness bugs real humans writedeep auditMost damage isn’t an exploit — it’s a careful engineer’s honest mistake. An ID column quietly approaching its integer limit because nobody predicted that much growth. Money handled in floats, so 0.1 + 0.2 drifts a cent at a time. An off-by-one, a broken invariant, an edge case no one thought to handle. Rarely exploitable, but a leading cause of outages, data corruption and expensive incident response — which is exactly why the audit industry exists.How we catch it CWE-798 · Secret exposureHardcoded secrets & leaked credentialsAPI keys, tokens, database URLs and private keys committed into source control are recovered by automated scanners within seconds of a push — and a leaked secret in git history is compromised even after you delete the line.How we catch it SCA · Supply chainVulnerable & malicious dependenciesEvery added or bumped dependency can pull in a known CVE or a freshly trojanised release. Most scanners alert on every transitive package, so the real risk drowns in noise.How we catch it Supply chain · AI-nativeTyposquatting & slopsquatted packagesAttackers publish packages one keystroke away from a popular name, and AI assistants confidently import dependencies that don’t exist — "slopsquatting" — which attackers then register and weaponise.How we catch it CWE-16 · CloudInfrastructure-as-code misconfigurationOne Terraform or Kubernetes line — an open 0.0.0.0/0 ingress, a public bucket, a wildcard IAM policy, an unencrypted store — quietly exposes production. These rarely show up in a code review focused on logic.How we catch it CWE-1395 · ContainersInsecure container imagesA Dockerfile that runs as root, pins :latest, pipes a remote script to a shell, or bakes a secret into a layer ships an insecure image to production by default.How we catch it CWE-94 · PipelineCI/CD pipeline attacksA workflow that interpolates untrusted input into a run step, pins a mutable action ref, grants broad permissions, or exposes a secret in a run is a direct path to a compromised build — the way many recent supply-chain attacks actually land.How we catch it License · LegalCopyleft & source-available license riskA single new dependency under GPL/AGPL or a source-available license (SSPL, BUSL, Elastic, Commons-Clause) can impose obligations on your whole product — a legal problem that surfaces at the worst possible time.How we catch it AI-native · Deep auditInsecure AI-generated codedeep auditCopilot, Cursor and Claude write a rising share of production code with less human review per line — opening failure modes legacy scanners were never built for: insecure defaults, over-permissive configs, hallucinated dependencies and prompt-injection surfaces.How we catch it Whole-codebase · Deep auditCross-file vulnerabilities a diff scanner can’t seedeep auditThe worst flaws don’t live in one diff. A PR adds a route that looks harmless on its own but pipes user input into an unsafe helper defined in a file the PR never touches — invisible to a line-by-line scanner.How we catch it
The one nobody else catches
Merge-induced vulnerabilities
Two branches, each safe on its own, that create a new vulnerability the moment they merge. No diff scanner sees it — Stateward does.
Built to be trusted with your code
Read-only & ephemeral
Stateward can comment, but never pushes, merges or stores your keys.
EU-sovereign hosting
Code and security data stay EU-hosted via Citadea — built for NIS2, DORA and the CRA.
Whole-codebase aware
Reasons over your call graph and trust boundaries, not just the diff.
Stateward is in beta and onboarding design partners. Built by Yggdrasil Digital.