I · Three questions a working security team asks
From CVE-on-code to secrets to LLM-injection.
Demo 1 · CVE-on-code, ranked8.9 ms · local
CVE matches in our dependency graph · severity ≥ High · KEV-listed
01CVE-2024-49415 · KEV-listed · path → libfoo@1.4 → app/api/auth. NVD + GHSA · KEV 2024-11 · CVSS 9.1
0.97
02CVE-2025-00231 — only reachable from upload route; rest of code path dead. NVD + Indago reachability · src/api/upload.ts:42
0.91
03GHSA advisory · same pkg, different CVE, fix landed in 1.4.7 — 1.4.3 in lockfile. GHSA-…-… · pkg-lock.json:8412
0.83
Demo 2 · Secrets hunt across historyscan · per-commit
secrets · uncommitted & committed · all branches · last 5 years
01AWS SECRET_KEY in test fixture · committed 2022-09; never revoked. scan · security.secrets · src/test/.../fixture.json:12
0.99
02High-entropy string flagged in archived branch; matches a known vendor token shape. scan · security.secrets.entropy · branch: rel/2021
0.88
Demo 3 · LLM-injection & prompt-handlingscan · 4.2 ms
LLM injection · untrusted input concatenated into system prompt · all services
01buildPrompt() concatenates raw user message into system role without escaping. scan · security.llm-injection.system-prompt · src/agent/Prompt.ts:88
0.94
02Tool-use response inlined into next-turn user message. No origin tag. scan · security.llm-injection.tool-echo · src/agent/Loop.ts:142
0.86
Demos illustrative. Scans run on your codebase, locally — no code leaves the workstation.
II · What's included
67+ plugins. NVD, GHSA, KEV, OSV, EPSS.
Pair with NIS2 sub-bundle for CISO-level compliance evidence, with Code for full search by meaning, and with Legal when supervisory text matters.
- NVD · GHSA · CISA KEV · OSV · EPSSdelta-indexed daily · exploit-prediction scored
- 67+ security plugins · two branches
security.code.* + security.iac.*
- Secrets · entropy · committed-historyscan · security.code.secrets.*
- Crypto · race · auth · injection · deserialisationscan · security.code.crypto.* · security.code.injection.* · …
- LLM-injection · IaC misconfigscan · security.code.llm-injection.* · security.iac.*
- Native renderers
validation-binder — accepts SOC 2 / ISO 27001 / NIS2 as renderer framework labels (chunk-resolved evidence, framing per artifact) · audit · bounty.29-template surface · framework labels, not separate scans
- SARIF 2.1.0 export · journaledfits existing pipelines · every render appended to journal
Sources of recordNVDGHSACISA KEVOSVEPSS
MITRE CWE is a reference taxonomy used inside plugin output, not a fetched source. Vendor advisories (Apple, Microsoft, Google, Red Hat, Canonical) are ingestible via indago_learn per advisory URL; they don't ship as bulk-source plugins today.
II.5 · Sample workflows
Real workflows. Real numbers.
Three workflows shaped for this bundle. Where the box reads Verified, the numbers come from a real run logged in this codebase. Where it reads Pending validation, the workflow shape is implemented and we are still gathering the headline numbers before we publish them.
Workflow 01
Pending validation
CVE-on-code reachability sweep
AppSec
- InputWorkspace + lockfile.
- MethodNVD + GHSA + CISA KEV joined against your dependency graph + Indago reachability filter.
- OutputSARIF 2.1.0 export with per-finding reachability and KEV flag.
< 10 ms · 22 k passages
Engine perf measured on the Indago repo; pending a customer reachability case study for headline numbers.
Workflow 02
Pending validation
Secrets-in-history hunt
DevSecOps
- InputRepo with full git history (all branches).
- Method
security.secrets entropy + token-shape scan across every reachable blob.
- OutputFindings list with BFG-style purge script attached per match.
Rotate-or-prove
Scan shape ships; pending a verified rotation case study before publishing a hit-rate.
Workflow 03
Pending validation
LLM-injection · prompt-handling audit
AI-platform teams
- InputSource paths that call an LLM SDK.
- Method
security.llm-injection.system-prompt + security.llm-injection.tool-echo scans.
- OutputFindings with fix recipes (escape, origin-tag, separator pattern).
Pattern-class catch
Patterns are coded against real frameworks; pending a customer dry-run for headline numbers.
Verified workflows are reproducible against the index hash listed in each run. Pending workflows are a written commitment, not a customer quote — we publish numbers only when we have measured them.
Security bundle · from€499/ seat / month· platform pricing for > 50 seats · NIS2 sub-bundle add-on
III · Also useful for security teams