Elytraelytra security
LOCAL-FIRST CODE SECURITY & CLEANUP

Find risky code.
Ship cleaner code.

Elytra scans your code for vulnerabilities, messy patterns, and unsafe logic — then generates safe, structured fixes without sending your source outside your machine.

Try the playgroundView source
120+ detection rulesJS · TS · Python · GoSecurity + cleanupLocal-first · No upload

End-to-end flow

From messy commit to clean patch.

Elytra turns risky diffs into reviewable fixes before they reach production.

01Risky diff
auth.js · before commit3 issues
1const config = {
2 apiKey: "sk_live_a1b2…",CRIT
3 host: 'localhost',
4 user: req.query.user,HIGH
5 pass: 'password123',CRIT
6}
02Elytra finding
elytra · analysisauto-fixable
CRITICALconf: 0.98
Rulehardcoded-secret/api-key
Fileauth.js · line 2
Severity−15 pts · CRIT
Impactgit history exposure
Use process.env.API_KEY
03Safe patch
auth.js · suggested fixclean
const config = {
- apiKey: "sk_live_a1b2…",
+ apiKey: process.env.API_KEY,
host: 'localhost',
- user: req.query.user,
+ user: sanitize(req.body.user),
}

Platform

One engine. Four loops.

Every commit runs through the full pipeline — automatically.

01

Scan

Parse code and detect risky patterns across every changed file.

02

Score

Prioritize by severity, confidence, and cleanup impact.

03

Fix

Generate safe, structured patches that are easy to review and commit.

04

Verify

Re-scan changes before they ship to confirm issues are resolved.

Under the hood

Pipeline internals

Pure static analysis. No runtime agents, no data collection, no internet required.

01

Parse

Git diff → AST extraction. Language detection across 8 runtimes. Hunk isolation to exact line ranges.

TS · JS · Py · Go · Sol · Rust · Java
02

Detect

120+ rules evaluated per hunk. Confidence scoring via AST + regex hybrid engine. Dedup and rank.

31 security · 25 quality · 15 solidity
03

Score

CVSS-inspired severity weighting. Cumulative penalty model with per-finding confidence thresholds.

CRIT −15 · HIGH −8 · MED −3 · LOW −1
04

Fix

Context-aware patch generation. Structured diffs, not full rewrites. One-click commit integration.

50+ auto-fixable · AI rewrite mode

Detection coverage

What Elytra catches

120+ rules across security and code cleanup. Every finding comes with a fix.

🔑12 rules

Hardcoded Secrets

API keys, tokens, passwords, and private keys hardcoded in source files.

💉8 rules

Injection Risks

SQL, command, and template injection via unsanitized input across query patterns.

🔐9 rules

Auth Mistakes

Missing auth checks, weak JWT configs, insecure session and cookie handling.

11 rules

Unsafe Logic

eval(), dangerouslySetInnerHTML, prototype pollution, and unsafe deserialization.

🧹18 rules

Messy Patterns

Dead code, duplicated logic, deep nesting, and structural issues that slow teams down.

25+ rules

Code Quality

Unused vars, N+1 queries, missing error handling, and complexity hotspots.

Privacy

Local-first by design

Your source code is your most sensitive asset. Elytra never asks you to upload it.

No code upload

The CLI runs entirely on your machine. Source code never leaves your environment by default.

Air-gap compatible

Static analysis runs fully offline. Works in locked-down environments without internet access.

Open engine

The detection engine is open source. Inspect every rule, fork it, or write your own.

“Run npx elytrasec scan . — results in seconds, nothing uploaded, no account required.”

120+
Detection rules
8
Language runtimes
50+
Auto-fixable rules
A–F
Security grade
Elytra

Start scanning in 30 seconds.

No account. No upload. Just clean code.

$ npx elytrasec scan .
Try the playgroundSign in