We analyze findings against your real deployment — deployment-chain reachability, exposure, ownership, and available code/config context — so your team sees the issues most likely to matter.
Most ASPM platforms aggregate and dedupe findings. VigilChain goes further: for teams running GitHub + GitHub Actions + AWS Fargate, we check whether vulnerable code is deployed, whether the service is customer-facing, what data context can be inferred, and which team owns the fix. You get context-aware vulnerability prioritization, not a bigger backlog.
We are pre-revenue and not generally available. No customer logos, no SOC 2, no runtime agent. What we do have, today, is a working ASPM workflow on the same stack we run ourselves.
Digest match, ALB exposure, CODEOWNERS, scanner rule, and AI-assisted snippet analysis are shown separately.
Illustrative example. Numbers and names are not from a real customer deployment.
Learn the core concepts
These pages explain the category, where VigilChain fits, and why deployment context changes AppSec triage.
Application Security Posture Management explained from scanners to cloud context.
How application posture and cloud posture differ, overlap, and work together.
Trace a finding from repo to build to image to service to exposure.
See where GitHub, GitHub Actions, AWS, scanners, and tickets fit.
What we support today
This is the exact stack VigilChain runs on. Every line of code that processes your data was scanned, traced, and owner-mapped through the same pipeline you'll be putting through it.
We can also ingest, but don't yet do full chain mapping for: GitLab CI, Jenkins, CircleCI, Travis CI, Azure, GCP. See Roadmap.
An example finding, end to end
Illustrative example
{"check_id":"python.lang.security.audit.dangerous-subprocess-use","path":"services/checkout/tasks.py","start":{"line":42},"extra":{"message":"Found subprocess call with shell=True."}}This is what your SAST queue looks like today — context-free.
Illustrative example
checkout-api:2026.04.01 matches Fargate task def on checkout-api-prod.public-api.example.com listener :443.@platform-api from CODEOWNERS in services/checkout/./checkout request (AI-assisted, see Confidence).Illustrative example
All five signals above are individually inspectable in the UI — see How confidence works.
Trust the analysis
We tell you which signals fed every decision so you can verify them yourself.
Pulled directly from APIs, no inference. Examples: CVE ID, package name + version, file path, ECR image digest, AWS resource ARN, ALB listener config, CODEOWNERS.
Inferred from structure, marked as inferred. Examples: deployment status from CI/CD config parsing, internet exposure from VPC + ALB topology, service-to-image mapping from task definitions.
Advisory, never auto-actioned at low confidence. Examples: SAST rule to canonical class mapping, code-path reachability from snippet analysis, finding narrative generation.
Every signal links back to its source: commit SHA, AWS resource ARN, scanner rule ID, CI run ID.
0-100, banded low / medium / high. Findings below the configurable threshold are flagged for review.
Finding: GHSA-xxxx in lodash@4.17.20 (services/checkout/package-lock.json)
|-- Deterministic: matched ECR digest sha256:a1b2... -> Fargate task def checkout-api-prod
|-- Deterministic: ALB listener public-api.example.com:443 -> service checkout-api-prod
|-- Heuristic: GitHub Actions workflow .github/workflows/deploy.yml builds and pushes this image (parsed)
|-- AI-assisted: vulnerable function _.template invoked in src/checkout/render.js:42 (advisory, snippet analysis)
|-- Verification: see commit 9f3a... (linked), task def revision :17 (linked)
`-- Confidence: 84/100 (high)We do not claim deterministic call-graph reachability today. AI signals are clearly labeled. The combined score is how we communicate uncertainty rather than hide it.
Where your data goes
Scanner findings (CVE, file path, snippet) · Repo metadata · CI/CD configs · AWS topology metadata · ECR image digests · Tenant repositories cloned into ephemeral workers for scan and analysis jobs
Rule identifiers · File paths · Configuration files or snippets · Finding metadata · Relevant source files or excerpts from the cloned repo when needed for classification, narrative, or reachability analysis
Application secrets · Environment variables · Customer data inside your services · Database contents · DB credentials · Known secret patterns before AI calls, when detected
Honest about what we ship
| Capability | Today | Roadmap |
|---|---|---|
| GitHub repo + Actions ingestion | ✓ | — |
| GitLab CI / Jenkins / CircleCI / Travis ingestion | partial (findings only) | full chain mapping |
| AWS Fargate + ECR + ALB chain mapping | ✓ | — |
| AWS multi-account | ✓ | — |
| Azure / GCP chain mapping | — | planned |
| Reachability via deployment chain | ✓ | — |
| Reachability via deterministic call graph | — | planned |
| Reachability via eBPF runtime agent | — | P2 |
| SAST scanning | ✓ | broader rule coverage |
| External SAST adapter ingestion | — | planned |
| SCA / container scanning | ✓ | broader ecosystem coverage |
| DAST adapter ingestion | — | planned |
| Cloud posture scanning | ✓ | broader control coverage |
| External cloud posture ingestion | — | planned |
| AI-assisted classification + dedup | ✓ | — |
| Per-tenant AI disable | — | planned |
| No-training, no-retention by Anthropic on production path | ✓ via AWS Bedrock | — |
| Workflow integration (Jira / GitHub Issues / Linear) | ✓ | — |
| Security graph + attack-path analysis | — | Phase 2 |
| Customer-facing posture snapshots | ✓ (live dashboard) | persistent snapshots |
| SOC 2 Type II | — | in progress |
| Self-serve onboarding | — | planned |
We will move items between Today and Roadmap on this page when status changes — not silently in the product.
If you're a fit, this is what setup looks like
We confirm your stack matches GitHub + GitHub Actions + AWS Fargate, or close enough.
Plain-language, two pages. Locks in 24-month 50% discount when paid plans launch. Not a click-through.
Read-only, scoped to the repos you choose.
Terraform module provided. Trust policy scoped to our AWS account; external-id required.
VigilChain runs SAST and dependency analysis in our worker environment after the GitHub App grants read access. No GitHub Actions snippet is required for scanner results.
From scanner findings to deployment-chain mapped to ranked to assigned.
If your stack is close but not exact (e.g., ECS EC2 instead of Fargate, or GitLab CI instead of GitHub Actions), tell us and we'll be honest about whether we can support you today.
What you get, what we ask
Free during design-partner phase. 24-month 50% discount when paid plans launch. Direct line to the founder (Slack Connect or email). Roadmap input via shared Linear workspace. White-glove onboarding.
About 30 min of feedback every 2 weeks. Permission to discuss your problems anonymized in marketing (no names without explicit opt-in). Optional, named reference in 12+ months if you stay with us.
Plain-language honesty
FAQ
We should be precise: VigilChain reachability today combines deployment-chain reachability (is the vulnerable dependency actually deployed to a running service, and is that service internet-exposed?) with AI-assisted code path analysis (does the application actually invoke the vulnerable code?). We do not yet perform deterministic function-level call-graph analysis. That distinction matters, and we state it plainly.
We do not have customer data or case studies yet, and we do not fabricate them. Example screenshots use synthetic names, counts, and domains to show the workflow without implying a customer deployment.
Because broad claims are cheap and reliable deployment-chain mapping is not. We support the stack we run ourselves first: GitHub + GitHub Actions + AWS Fargate, with SAST, SCA, and cloud scanning run by VigilChain after setup. That gives design partners a real workflow instead of a roadmap demo.
VigilChain is free during the design-partner phase. Design partners lock in a 24-month 50% discount when paid plans launch. We will give at least 30 days notice before the beta ends and paid plans begin.
Not yet. We are building toward SOC 2 Type II and can share current controls under NDA during evaluation.
No. A runtime agent is roadmap. Today we use static signals from repo, build, scanner, and cloud integrations, plus AI-assisted snippet analysis where appropriate.
Read-only metadata, scanner findings, CI/CD configuration, cloud topology metadata, and repository contents cloned into VigilChain-controlled workers for scan and analysis jobs. AI-assisted analysis may inspect relevant files from that clone. We do not request secrets, database contents, or service customer data, and we redact known-secret patterns before AI calls when detected. See Data Flow & AI Processing.
Not yet. We are in early design-partner phase. We will only publish named references with explicit opt-in.
Become a design partner
Walk through the supported workflow, pressure-test fit, and get an honest answer if your environment needs something we do not ship yet.