Fetched server-side — no upload-size limit. Dependencies and non-source files are skipped automatically. A token is needed only for private repos (needs read access); it's sent to GitHub to fetch your repo and is never stored or logged.
Submit a product. It maps the payment flow and audits it for nine vulnerability classes. Static analysis only — your code is never executed, only read.
Fetched server-side — no upload-size limit. Dependencies and non-source files are skipped automatically. A token is needed only for private repos (needs read access); it's sent to GitHub to fetch your repo and is never stored or logged.