Your AI-Powered Security Apprentice: From Vulnerability Detection to Pull Request in Minutes
Security vulnerabilities are everywhere, but fixing them is hard:
- Security tools overwhelm developers with hundreds of findings, many of which are false positives
- Reading CodeQL results requires expertise - raw output is technical and hard to interpret
- Manual code review is time-consuming - each vulnerability needs careful analysis to understand and fix
- Creating fixes is error-prone - security patches require deep understanding of both the vulnerability and the codebase
- Context switching kills productivity - developers lose hours jumping between security tools, documentation, and code
The result? Critical vulnerabilities sit unfixed for months while security debt piles up.
Patchsmith is an intelligent CLI that automates the entire security vulnerability lifecycle - from detection to pull request - using CodeQL's powerful analysis engine enhanced with Claude's code understanding.
Think of it as having a security-focused senior developer on your team who:
- Scans your codebase for vulnerabilities 24/7
- Filters out false positives with actual code understanding
- Explains each issue in plain English
- Writes the fix for you
- Creates a ready-to-review pull request
All from your command line. No web dashboards. No context switching. Just four simple commands.
Run once in your project. Patchsmith:
- Automatically detects your programming languages and frameworks
- Creates a CodeQL security database
- Uses AI to understand your code patterns
- Generates custom security queries tailored to YOUR codebase
The magic: Unlike generic security scanners, Patchsmith learns your specific architecture and writes queries that find vulnerabilities unique to your application.
Runs comprehensive security analysis:
- Executes both standard and custom CodeQL queries
- Uses Claude to review every finding with full code context
- Filters out false positives through intelligent code analysis
- Generates a human-readable report with:
- Clear explanations of each vulnerability
- Real impact assessment
- Prioritized action items
- Specific fix recommendations
The magic: Most security tools give you 500 warnings. Patchsmith gives you 50 real issues that matter, ranked by actual risk.
Tell Patchsmith which issue to fix:
- AI analyzes the vulnerable code in full context
- Generates a secure fix that fits your codebase style
- Creates a git branch with the changes
- Writes a detailed pull request description
- Includes testing recommendations
The magic: From "SQL injection found" to "here's a PR with a parameterized query" in under 2 minutes.
View your latest security status anytime - in your terminal, in your browser, filtered by severity.
- Stay in your flow: Everything happens in the CLI, no context switching
- Learn while you fix: Each PR explains the vulnerability and the fix
- Ship faster: Automated fixes mean security doesn't slow you down
- Reduce noise: Only see real issues, not thousands of false positives
- Scale your expertise: Patchsmith brings senior security knowledge to every project
- Faster remediation: Developers get fixes, not just bug reports
- Better visibility: Clear, prioritized reports show what matters
- Custom detection: AI-generated queries find vulnerabilities specific to your stack
- Reduce security debt: Automated workflow means vulnerabilities get fixed, not backlogged
- Improve code quality: Developers learn secure patterns from AI-generated fixes
- Lower costs: One tool replaces multiple security scanning services
- Measurable results: Track vulnerability trends over time
| Traditional Security Tools | Patchsmith |
|---|---|
| Thousands of raw findings | Filtered, prioritized real issues |
| Generic scans | Custom queries for your codebase |
| "You have a SQL injection" | "Here's a PR with the fix" |
| Web dashboards and GUIs | Command-line workflow |
| Requires security expertise | AI explains everything in plain English |
| Manual fix implementation | Automated, context-aware fixes |
| Slow feedback loops | Minutes from scan to PR |
"We're moving fast and need security without slowing down."
- Run
patchsmith analyzebefore each release - Get automated fixes for critical issues
- No dedicated security team needed
"We inherited a codebase full of security debt."
- Custom queries find old vulnerability patterns
- Automated fixes for low-hanging fruit
- Prioritized roadmap for serious issues
"We need to prove we're finding and fixing vulnerabilities."
- Regular analysis with timestamped reports
- Audit trail of fixes via PR history
- Clear documentation for auditors
"I maintain a popular library and need to stay secure."
- Run on CI to catch issues in PRs
- Community contributors get clear security guidance
- Automated fixes reduce maintainer burden
"I'm exploring vulnerabilities in a new framework."
- Custom CodeQL queries for novel patterns
- AI helps understand complex data flows
- Rapid iteration on detection rules
Today's security tools tell you what's wrong. Patchsmith fixes it for you.
We're building toward a future where:
- Security vulnerabilities are fixed automatically in CI/CD
- Developers learn secure coding through AI-generated examples
- Custom security rules evolve with your codebase
- The time between "vulnerability discovered" and "fix deployed" is measured in minutes, not weeks
- Small to mid-size engineering teams (5-50 developers)
- Teams with limited security resources
- Modern web applications (JavaScript, Python, Go, Java)
- Fast-moving startups prioritizing speed + security
- Open source maintainers
- Security researchers
- Large enterprises (DevSecOps teams)
- Education (teaching secure coding)
Open Core Model:
- Free tier: Core CLI, standard queries, local analysis
- Pro tier ($50/month per project):
- Advanced custom query generation
- Team collaboration features
- CI/CD integration
- Historical trend analysis
- Priority support
- Enterprise tier (Custom pricing):
- On-premise deployment
- Custom LLM integration
- SSO and advanced access controls
- Dedicated support and training
- Snyk, Dependabot: Focus on dependency vulnerabilities, not custom code
- SonarQube: General code quality, not security-first, no AI fixes
- GitHub Advanced Security: Web-based, expensive, limited fix automation
- Semgrep: Great for custom rules, but no AI-powered analysis or fixes
- AI-powered false positive filtering (nobody else does this well)
- Automated fix generation with context awareness
- CLI-first workflow (developers hate leaving their terminal)
- Custom query generation (learns your codebase patterns)
- CodeQL + Claude (best-in-class detection + best-in-class code understanding)
- Time to first successful analysis < 10 minutes
- % of users who run
patchsmith fixwithin first week > 60% - Weekly active users per project > 3
- False positive rate < 15% (vs industry standard 30-50%)
- % of generated fixes that merge without changes > 70%
- Time from vulnerability detection to PR < 5 minutes
- Vulnerabilities fixed per project per month > 20
- User retention (90-day) > 75%
- NPS score > 50
- Core commands: init, analyze, fix, report
- Python, JavaScript, Go support
- CodeQL integration
- Claude Code Agent SDK integration
- CLI with colored output and progress bars
- Improved false positive filtering
- Better fix quality with test generation
- Support for Java, TypeScript, Ruby
- Configuration presets for common frameworks
- CI/CD integration (GitHub Actions, GitLab CI)
- Team dashboard (web-based report viewer)
- Shared query libraries
- Historical analysis and trends
- On-premise deployment
- Custom LLM provider support
- Advanced access controls
- Integration with JIRA, ServiceNow
- Auto-fix mode with automatic PR merging
- AI Code Understanding Breakthrough: Models like Claude 3.5 Sonnet can now reliably understand complex code context
- DevSecOps Maturity: Teams expect security in the dev workflow, not as an afterthought
- Tool Fatigue: Developers are overwhelmed with security tools; they want consolidation
- CodeQL Accessibility: CodeQL is now free for public repos, lowering barriers to adoption
- CI/CD Everything: Automated workflows are the norm; security should be too
For Early Adopters:
"Try Patchsmith on your project today. Run
patchsmith initand see what vulnerabilities we find - and fix - in the next 15 minutes."
For Investors:
"Security is moving left, into the developer workflow. Patchsmith is the first tool that brings senior-level security expertise directly to the command line, with AI that doesn't just find bugs - it fixes them."
For Contributors:
"Help us build the future of automated security. Patchsmith is open source and we're looking for contributors passionate about making security accessible to every developer."
Security shouldn't be a bottleneck. It should be automatic.
Patchsmith makes security scanning as easy as running tests, and fixing vulnerabilities as simple as merging a PR. By combining CodeQL's analysis power with Claude's code intelligence, we're creating a world where every developer has a security expert looking over their shoulder - and fixing issues before they reach production.
From vulnerability to PR in minutes. That's Patchsmith.