Skip to main content
Your codebase has issues PR review won’t catch. cubic finds them. Codebase scans analyze your entire repository to find bugs that PR review misses: security vulnerabilities, data corruption risks, business logic errors. With AI-generated code (Copilot, Cursor, Claude) now common, edge cases and subtle bugs slip through more often. Unlike PR reviews that check diffs in minutes, codebase scans run thousands of checks across your entire repository. They take hours (sometimes 24+ for large codebases) but run in the background. Codebase scan results table
Codebase scans are in beta.

Issues that codebase scans find

Codebase scans focus on high-impact issues:
  • Security vulnerabilities: authentication bypasses, injection points, exposed secrets
  • Data integrity risks: race conditions that corrupt state, missing validations, unsafe database operations
  • Business logic flaws: billing edge cases that lose money, incorrect permission checks, broken invariants
  • Dependency vulnerabilities: known CVEs in your supply chain, unsafe version ranges

How it works

cubic clones your repository into an isolated sandbox and deploys thousands of agents that explore your codebase in parallel. These agents:
  • Navigate across files to trace data flows
  • Follow call chains to verify issues
  • Check external documentation (framework docs, security advisories)
  • Test multiple hypotheses before confirming findings
  • Use your repository’s AI Wiki to understand product context and prioritize investigations
The scan process:
  1. Maps your repository structure
  2. Checks for an up-to-date AI Wiki—if one doesn’t exist, cubic generates it automatically
  3. Deploys thousands of parallel agents informed by the wiki’s understanding of your product
  4. Investigates suspicious patterns
  5. Deduplicates findings
  6. Scores by severity and confidence
This takes hours because agents verify each finding across files and external sources. The result is high-confidence issues, that you can immediately act on.

Starting a scan

Codebase scans are available by request. Once enabled:
  1. Navigate to your repository’s Codebase scan page
  2. Click Start scan
  3. Continue working. You’ll be notified when results arrive
Remember: this is background analysis. Start a scan before leaving for the day, check results in the morning.

Working with results

Every finding appears in a clean table with three key signals: Codebase scan results table
  • Score: severity × confidence, so you focus on what matters
  • Status: track as Open, Resolved, or Dismissed
  • Summary: what’s wrong in plain language
Click any issue for:
  • Full explanation with code context
  • AI sidebar to explore the finding interactively
  • Copy prompt button for a ready-to-paste fix prompt
Codebase scan issue details

When to run scans

Think of scans as periodic deep inspection, not continuous monitoring:
  • Before major releases: catch issues that accumulated during development
  • After architecture changes: verify new patterns don’t introduce vulnerabilities
  • Post-dependency updates: check for newly exposed attack surface
  • Monthly or quarterly: maintain baseline security posture

Custom scans

Need deeper security analysis? Want higher sensitivity for financial code? Require specific compliance checks? Scans are tunable. Reach out and cubic can configure scans for your specific risk profile and requirements.

FAQ

No. PR reviews remain fast and inline. Scans run completely separately in the background.
High signal-to-noise ratio. Teams report immediately actionable results, often more precise than traditional security tools.
Small repos: 2-6 hours. Medium: 6-12 hours. Large enterprise codebases: 24-48 hours. You get progress updates throughout.
It complements them. cubic finds logical flaws and subtle bugs that pattern-matching tools miss.
Scans are included in your cubic subscription. No per-scan charges. Run as many as you need.