Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
BuildGitHub Actions

Security that runs with every push. Not after.

O3 plugs directly into GitHub Actions as a native step. Every push, every PR, every merge — reachability-based SAST, SCA, and secret scanning run automatically. Only blocks on real threats.

Pipeline Integration

One YAML step. Full security coverage.

O3 runs as a first-class GitHub Actions step. No external runners, no webhooks. Drop it into any workflow in under a minute.

.github/workflows/security.yml
name: O3 Security Scan on: [push, pull_request] jobs:  security:    runs-on: ubuntu-latest    steps:      - uses: actions/checkout@v4       - name: O3 Security Scan        uses: o3security/scan-action@v2        with:          api-key: ${{ secrets.O3_API_KEY }}          fail-on: high          sarif-upload: true
Reachability SCA

Only blocks CVEs your code actually reaches.

O3 builds a call graph and checks which CVEs have a real path from your code to the vulnerable function. Packages your code never calls don't fail your build.

Dependency Scan
17 CVEs found1 exploitable
lodash @ 4.17.20CVE-2021-23337
Not reachable
axios @ 0.27.2CVE-2023-45857
Not reachable
express @ 4.17.1CVE-2022-24999
REACHABLE · BLOCKED
moment @ 2.29.2CVE-2022-31129
Not reachable
14 additional CVEs suppressed — not in call graph
PR Comments

Blocked with context, not just a flag.

When O3 finds a confirmed vulnerability in a PR, it posts a comment on the exact line with the full taint path — source, data flow, sink — so the reviewer understands the real risk instantly.

PR #247 · src/api/orders.ts · line 142O3 Security Bot · just now
CRITICAL · SQL Injection · CWE-89
Taint Path
1GET /api/orders
2req.query.userId — unvalidated input
!db.query("..."+userId) — SQL sink
Confirmed reachable via API route
GitHub Native

Security findings in your GitHub Security tab.

O3 writes standard SARIF results directly to the GitHub Security tab. No new dashboards, no extra logins — findings live where your team already works.

Code scanning alerts3 results
O3 Security
SQL InjectionCritical
src/api/orders.ts:142·main · a3f9c21
Prototype PollutionHigh
src/utils/merge.ts:67·main · a3f9c21
Path TraversalMedium
src/files/upload.ts:31·main · a3f9c21
Results written via standard SARIF · No extra dashboards needed

Security in every push. Zero noise.

Add O3 to your GitHub Actions workflow in minutes. Blocks only what matters.

FAQ

Questions,
answered.

Everything teams ask before rolling this out. Still stuck? Reach our team.

  • Add the o3security/scan-action step to your existing workflow YAML file. O3 runs as a native GitHub Actions step alongside your existing build and test steps. It requires an API key stored as a GitHub Actions secret and no additional infrastructure or external runners.
  • O3 is designed for CI performance. For most codebases it completes SAST, SCA, and secret scanning in under two minutes. The scanner runs incrementally on pull requests, analyzing only changed files and their transitive dependencies, so PR checks are significantly faster than full-repo scans.
  • Standard SCA tools flag every CVE in your dependency tree, regardless of whether your code ever calls the vulnerable function. In CI, this generates noise that teams learn to ignore. O3 builds a call graph of your application and only blocks builds on CVEs where a real attack path exists from an entry point to the vulnerable code. This means CI failures are always meaningful, not just advisory.
  • Yes. O3 outputs standard SARIF v2.1 results that integrate directly with the GitHub Security tab when you enable SARIF upload in the action configuration. All findings. SAST, SCA, and secret detections, appear as code scanning alerts in your repository, with inline annotations on pull request diffs.
  • Yes. O3 integrates with GitHub branch protection rules as a required status check. You configure the failure threshold (critical, high, medium) in the action, and O3 will mark the check as failed if findings at or above that severity are confirmed reachable. Only confirmed exploitable findings trigger a block, suppressed, unreachable findings are reported but do not fail the check.
  • Yes. O3 scans the diff of every push and pull request for secrets. API keys, tokens, credentials, and private keys, before they are merged. When a secret is detected in a diff, O3 posts a comment on the specific line of the PR and marks the check as failed, preventing the secret from landing on any branch.