One medium security risk was reproduced in a generated request path.
A server-only configuration value can still be reached by client-side code during preview builds.
No production credentials, customer records, or private repository data were used in this mock report.
Fix the runtime boundary first, then rerun the security audit to confirm the exposed path is closed.
Audit Target and Version
Repository: checkout-service
Default branch: main
Checked commit: mocked-build-reference
What We Checked
Client-side input paths that read URL parameters and local storage.
Runtime configuration boundaries for server-only values.
Representative public routes, response headers, and redirect behavior.
Findings
PriorityWhat we foundWhere to lookMediumServer-only value can reach preview client config.src/config/runtime.ts
Not used to train our modelsEphemeral audit workspacesScoped, revocable GitHub App accessSelf-hosted & bring-your-own-AI
Everything Enji Guard covers,from code to live product.
Inside your repository
11
Repository audits
Security, tests, dependencies, AI readiness and more
7
Improvement workflows
Findings become issues and reviewable pull requests
2
Code review triggers
Automatic on pull request creation, plus unlimited reviews via @mentions in comments.
On the live product
Pentest
Probe the linked site for exploitable security issues and confirm how they can be exploited.
User testing
Soon
Run real user journeys and catch UX failures across critical product flows.
SEO testing
Soon
Check crawlability, metadata, structured data and indexability across critical product pages.
Keep every project in the green.
Guard continuously reruns the audit suite, works risky areas down with autofixes, and keeps the codebase healthy as your agents ship new features.
Guard measures the project as it is today.
Every audit group is rerun on a schedule, so weak areas stay visible across the whole project.
Mixed health
Repository
Overall score
Security
Dependency hygiene
Tests
AI readiness
checkout-service
62
82
48
61
76
workspace-client
51
38
64
42
68
Audit suite rerunsSecurity, dependencies, tests, and AI
Current health appearsThe matrix shows where risk is building
Work is prioritizedGuard starts with the biggest gaps
What teams need to know about Guard
Code access, autofixes, team access, and deployment.
Where does our code go?
During an audit, Guard reads your repo in a temporary workspace that is removed afterwards; the reports and history stay as product records. We don't train models on your code, and selected context may go to approved AI providers under their terms. GitHub App access is revocable any time, and every issue or pull request stays explicit and reviewable. For strict requirements, run Guard fully self-hosted with your own AI keys.
How is this different from scanners like Snyk or CodeQL?
Classic scanners match code patterns. Guard audits the code and the running app together for the failure modes specific to AI-written software: hallucinated dependencies, fake-green tests, and exposed routes. Findings arrive in plain language as reviewable GitHub issues, and bounded fixes can become pull requests.
Can we run it inside our own infrastructure?
Yes. The self-hosted deployment runs in your own infrastructure with customer-controlled AI provider routes, so your code and reports stay under your control. In fully air-gapped deployments, data stays within your network. Email [email protected] to discuss your infrastructure, security, and deployment requirements with our team.
How do autofixes work?
When a finding has a bounded, useful fix, Guard can prepare the change and open a narrow GitHub pull request with the relevant context and verification evidence. Your team reviews and merges it. Guard never merges or deploys code automatically, and findings that need a broader engineering decision remain issues for your team.
Can I add my team to a project?
Yes. A project owner can invite teammates as members. Members can view the shared project data and run audits, while invite, removal, and project ownership controls stay with the owner.
Can you help us fix the findings?
Yes. We can help review the report, prioritize the findings, and work with your team on remediation that needs hands-on engineering. Email [email protected] with a link to the report or a short description of the project, and we will discuss the right format for the work.
You focus on the product. Enji Guard makes it reliable.
Our mission is to make Enji Guard a fully autonomous system for maintaining your products.