CRP Scan¶
Find ungoverned AI calls before they reach production.
CRP Scan analyses your codebase for AI-system patterns that bypass governance - unaudited LLM calls, missing safety policies, ungoverned context construction, regulatory-mapping gaps, and version drift. It then opens remediation PRs so your team fixes issues without leaving GitHub.
Scan product status
The CRP Scan GitHub Action is published. Managed cloud features and the VS Code extension are on the roadmap.
The value in one minute¶
| Without CRP Scan | With CRP Scan |
|---|---|
| Ungoverned LLM calls ship to production | Every PR is scanned before merge |
| Compliance gaps discovered during audit | EU AI Act high-risk patterns caught in CI |
| Security issues live for weeks | Hard-coded keys and injection risks flagged immediately |
| Remediation is a ticket backlog | Auto-remediation PRs fix routing + policy stubs |
| No visibility into AI footprint | SARIF findings live in the GitHub Security tab |
Why teams choose CRP Scan¶
- Governance in CI, not after an audit. HIGH/CRITICAL findings are caught in the pull request that introduces them, so fixes cost minutes instead of months.
- Zero-friction remediation. Auto-remediation opens a PR with Gateway routing and policy stubs - it never pushes directly to
main. - Free for public repos. Add one workflow step and every open-source contribution gets the same governance check as enterprise code.
Who it's for¶
| Role | Problem | How Scan helps |
|---|---|---|
| Engineering Manager | AI calls spread across repos with no visibility | SARIF findings in the GitHub Security tab per repo |
| Security Engineer | Hard-coded keys and injection risks slip through PR | CRITICAL findings block merge until fixed |
| Compliance Lead | No evidence that code-level controls exist | Scan logs show governance gaps were caught pre-merge |
| Open Source Maintainer | Need free governance for public contributions | Public repos scan at no cost |
What it catches¶
| Finding | Severity | Remediation |
|---|---|---|
| LLM call without CRP Gateway routing | HIGH | Change base_url to Gateway |
Missing CRP-Safety-Policy on production path | MEDIUM | Add policy via no-code builder or YAML |
| EU AI Act high-risk pattern without classifier | CRITICAL | Run risk classifier in CRP Comply |
| Hard-coded provider API keys | CRITICAL | Move to CRP Key Vault |
| Context truncation risk (no windowing) | MEDIUM | Enable CDR/CDGR envelope |
| Multi-agent chain without budget header | HIGH | Add CRP-Chain-Budget |
| Missing audit log destination | MEDIUM | Connect CRP Comply webhook |
GitHub Action¶
Add one workflow step and every pull request is automatically scanned.
# .github/workflows/crp-scan.yml
name: CRP Governance Scan
on: [pull_request]
permissions:
contents: read
security-events: write
jobs:
crp-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: AutoCyber-AI/crp-scan@v1
with:
paths: 'src,lib'
fail-on: HIGH
upload-sarif: true
summary: true
auto-remediate: false # set true to open remediation PRs
Outputs¶
findings-count- number of findings detectedhighest-severity- NONE | LOW | MEDIUM | HIGH | CRITICALsarif-file- path to SARIF artefact for the Security tabpr-url- opened remediation PR (whenauto-remediate: true)
Auto-remediate¶
Set auto-remediate: true and CRP Scan will:
- Generate a fix branch with Gateway routing + policy stubs
- Open a PR against the target branch
- Never push directly to
main(CRP invariant)
CLI scanning¶
You can also scan locally before pushing:
VS Code Extension¶
Not yet implemented
The CRP Scan VS Code extension is on the roadmap and is not currently available.
Pricing¶
| Repository Type | Cost |
|---|---|
| Public repos | Free |
| Private repos | Included in CRP Comply Starter ($49/mo or $490/yr) or Scale ($499/mo or $4,990/yr) |
| Enterprise | Unlimited private repos + custom rules + SSO |
Annual plans save ~17% vs monthly.
GitHub Marketplace View on GitHub
Get started¶
Add CRP Scan to your repository in one workflow step, or view pricing for private-repo and Enterprise tiers.