SPHIOR CODE
Ship secure code without slowing down.
Install once. Every pull request and push gets an AI code review plus dependency vulnerability scan — SAST findings, SCA alerts, fix suggestions, and CVSS scores appear right in your GitHub workflow. No config, no context switching.

How it works
From pull request to security feedback in seconds.
SPH 01
PR / Push
Install once. Every code change is automatically reviewed before it ships.
SPH 02
SAST + SCA
Vulnerabilities in your code and dependencies — found in seconds, not sprints.
SPH 03
Check Run
Fix instructions appear right in your pull request. No dashboards, no context switching.
SPH 04
Monthly Report
Every scan becomes audit-ready evidence. Compliance runs itself.
Inside the dashboard
Engineered for teams that can't afford security overhead.
Each view surfaces only the items that require action and suppresses noise. Designed to integrate cleanly into your existing engineering workflow.
Identify recurring root causes systematically
Sphior aggregates findings by CWE pattern across all repositories, enabling a single remediation to resolve multiple instances. Hotspot files highlight locations where targeted fixes deliver the greatest risk reduction.
- Cross-repository CWE clustering
- Risk rationale and remediation guidance per pattern
- Risk concentration analysis via Hotspot files

Repository-level investigation within the dashboard
An IDE-style file explorer, folder-level severity heatmap, statistics bar with security score and trend, and the findings list are unified within a single split-pane view.
- IDE-style file tree with severity indicators
- Security score with 30-day trend visualization
- Findings linked to GitHub commit SHA for traceability

Audit-supporting insights ready for distribution
OWASP Top 10 coverage by repository, programming language breakdown, and severity history — formatted for direct integration into SOC 2 / ISO 27001 evidence packages.
- OWASP Top 10 coverage matrix
- Weekly severity history chart
- Programming language breakdown per repository

Native MCP integration with leading AI development tools
Surface Sphior findings directly within Cursor, Claude Code, Windsurf, VS Code, Continue, Zed, and Lovable. Your AI agent remediates vulnerabilities with full Sphior context.
- Findings surface directly in your AI editor's context window
- AI agents remediate vulnerabilities with full Sphior context
- Centralized key management with full audit trail

Start free. Scale as you grow.
Free
Try SPHIOR CODE risk-free. Automatically scan dependencies for known vulnerabilities on every pull request. Earn more scans by inviting others.
$0/mo × 12
- Dependency (SCA) vulnerability scanning
- Monthly scan quota — earn +30 per referral
- PR checks in your GitHub workflow
- SPHIOR watermark on Check Runs
Team
Deterministic SAST + SCA on every PR and push — completely unlimited, no per-developer fee. Reproducible, audit-ready findings your own AI can fix via MCP.
$79/mo × 12
- Unlimited SAST + SCA scanning
- Unlimited repos & contributors — no per-seat fee
- Deterministic engine — reproducible, audit-ready
- Framework mapping (OWASP / SOC 2 / ISO)
- Fix with your AI (Cursor, Claude, …) via MCP
- No watermark
Enterprise
Everything in Team, plus an audit-grade monthly code report with tamper-proof, Git-anchored evidence — SSO, unlimited retention, and an auditor portal. Self-serve, no sales call.
$299/mo × 12
- Everything in Team
- Audit-grade monthly code report
- Tamper-proof, Git-anchored evidence
- SSO / SAML
- Unlimited retention + auditor portal
- SLA & priority support
