Patchhog
Try it for free

Catch the bug
on the way in.

Seven scanners on every push. Every finding ships with a paste-ready fix.

Try it for freeSee pricing
7-day free trialCancel anytimeSOC 2 Type II

What Patchhog catches before it ships.

01
Secrets

AWS, GCP, Stripe keys — never shipped to git.

02
SAST

Tainted input that reaches a dangerous sink.

03
Dependencies

Lockfile CVEs, patched version ready.

04
IaC

K8s, Terraform, Actions — bad defaults caught.

05
Malware

Typosquats and known-malicious packages, blocked.

06
Container

End-of-life base images and risky Dockerfile layers.

From bug to merged in one click.

Every finding lands with the patch already written. Hover the card to watch Patchhog ship the fix.

CRITICALMERGEDservices/auth/session.ts:42CWE-1321 · CVSS 9.8
40import _ from "lodash";
40+import { merge } from "lodash-es/fp";
41
42const cfg = _.merge(defaults, opts);
42+const cfg = merge(defaults, sanitize(opts));
WhyPrototype-pollution sink — opts merges directly into a config object without prior sanitization. CWE-1321 covers this class of mass-assign bugs across the npm ecosystem.
fix: sanitize opts before mergeApply fixPushed to main

Pick a plan, push code.

All plans include every scanner, paste-ready fixes, and commit-status on GitHub. Cancel anytime.

7-day free trial · Cancel anytime
Solo
For indie hackers and side projects.
29/ month
or 290€/yr — save 58
Start 7-day trial
  • 3 private repositories
  • All 7 scanners (Secrets, SAST, Deps, IaC, Malware, Container, API-Sec)
  • GitHub commit status + per-push & PR scans
  • SBOM export (CycloneDX)
  • Slack & Discord alerts
Most Popular
Pro
For shipping startups.
59/ month
or 590€/yr — save 118
Start 7-day trial
  • 15 private repositories
  • Everything in Solo, plus:
  • Auto-PR for dependency upgrades
  • Priority email support
Business
For scaling security teams.
199/ month
or 1990€/yr — save 398
Start 7-day trial
  • Unlimited repositories
  • Everything in Pro, plus:
  • Cloud scanning (AWS · GCP · Azure)
  • DAST against live URLs
  • EASM (external attack surface)
  • Compliance exports (SOC 2 · ISO · NIST)

Prices in EUR · VAT not included

Things you ask
before you sign up.

01Which git hosts?+

GitHub only, for now. GitLab and Bitbucket are on the roadmap.

02Does Patchhog push the fix for me?+

Yes — for npm dependency CVEs on Pro and Business. Hit "Fix and push" on a finished scan and Patchhog bumps your vulnerable packages, regenerates the lockfile, and commits straight to the default branch under your own GitHub identity. Auto-fix for pip / cargo / go-mod is roadmap; for SAST and IaC findings you still get a paste-ready fix in the dashboard.

03Will my code leave my infrastructure?+

In self-host mode, never. In hosted mode, code lives in our scan worker for one scan only and is never trained on.

04How are rules defined?+

All rules are pure TypeScript in lib/scanner/. Append a regex/taint pattern/IaC check — the next scan picks it up.

Your next push
should already be safe.

Try it for freeRead the docs