01
PR opened
Someone opens or updates a pull request. Your normal review flow stays the same.
Catch security bugs before they ship.
Detects 6 business-logic vulnerability classes in Node/TypeScript: auth bypass, missing admin gates, IDOR, environment-variable exposure, hardcoded secrets, and unverified webhooks.
Install Fixor on GitHubFree tier covers 5 scans / month on public repos · no card required
How it works
Three steps from push to an actionable security review—right in the thread your team already uses.
02
Fixor detects
Detects 6 business-logic vulnerability classes in Node/TypeScript: auth bypass, missing admin gates, IDOR, environment-variable exposure, hardcoded secrets, and unverified webhooks.
03
Comment posted
A professional report lands on the PR — findings, remediation steps, risk assessment, and a downloadable PDF for compliance.
What lands on your PR
A clean, structured security report — right where your team already reviews code. Every finding comes with a precise explanation and remediation steps, so you can act on it fast. A high-signal second reviewer, not a replacement for human review.
## 🛡️ Fixor Security Report **Repository:** `acme/payments-api` · **PR:** #42 **Commit:** `a1b2c3d4e5f6...` ### Summary | | | |-|-| | **Workflow status** | ✅ `success` | | **Findings** | 5 | | **Detection confidence** | high: 5 | ### Findings ▸ 1. `src/routes/admin.ts:25` · `AUTH_BYPASS` · **high** ▸ 2. `src/routes/orders.ts:9` · `IDOR` · **high** ▸ 3. `src/routes/users.ts:12` · `ADMIN_CHECK` · **high** ▸ 4. `src/routes/debug.ts:7` · `ENV_EXPOSURE` · **high** ▸ 5. `src/config/payments.ts:4` · `SECRETS_EXPOSURE` · **high** --- ### 📄 Download full report **Download PDF Report →** _Professional report suitable for sharing with your team or compliance review._ 🔒 Analyzed by Fixor · 2026-04-19T00:03:31Z
Built for production teams
More than a scanner — Fixor ships everything your team needs to act fast.
AI
Claude-powered analysis
Backed by Claude — context-aware analysis, not just regex pattern-matching. Five of the six detectors judge each candidate with Claude reading the diff the way a reviewer would; the hardcoded-secrets detector runs on high-precision patterns.
PDF
Downloadable PDF report
Every PR ships with a branded PDF summarizing findings and remediation steps — handy for stakeholder reviews or attaching to tickets.
APP
Native GitHub App
Install once per org. No tokens to rotate, no webhooks to configure. Secure by default.
Pricing
Start free, upgrade when you outgrow the budget. Paddle is our merchant of record — they handle VAT and the cancel / update-payment portal.
Free
$0 / mo
- 5 scans / month
- Public repos only
- All 6 detectors
Indie
$29 / mo
- 100 scans / month
- 1 private repo + unlimited public
- All 6 detectors
Team
$199 / mo
- 2,000 scans / month
- Unlimited repos
- All 6 detectors + priority support