Free scan · $-priced findings · merged fixes

Find it. Fix it. Prove it.

Run a free scan that prices your risk in dollars, not CVSS. You get exploit-gated findings on every pull request — and each one arrives with a mergeable fix your own CI already passed.

npx @olydi/cli scan

Observe, Learn, Yield, Deploy, Iterate. The loop closes with a post-merge rescan.
No-Exploit, No-Report$-priced findingsGate-verified mergesed25519-signed evidence

Find and fix

Not a report. A mergeable PR.

Find

A free scan that prices your risk, not just lists it.

Exploit-gated severity plus reachability plus EPSS and KEV turn raw findings into prioritized, dollar-priced exposure on every pull request.

  • Exploit-gated severity
  • Reachability + taint proof
  • EPSS and KEV signals
  • SARIF export

Fix

A finding becomes a mergeable fix with proof attached.

A reachable finding becomes a bounded branch, a readable diff, and a pull request that's already green. You review a change that's ready to merge.

  • Bounded, readable diff
  • Your CI already passed
  • Gate-verified before review
  • Merges on your approval

Priced risk

We don't argue you have a problem. We price it.

Every reachable finding lands with its ΔEBITDA at risk — what leaving it open costs you. The scan is free, and the number is yours to keep.

How pricing works
npx @olydi/cli scan fingerprint next 16 · node 24 · 47 of 115 capabilities apply ✖ js/missing-rate-limit app/auth/verify.ts:41 HIGH reachable credential endpoint verifies before throttling — $340K ΔEBITDA at risk ✖ js/sql-injection src/db/users.ts:42 CRITICAL reachable user input flows to query() without parameterization — $1.2M ΔEBITDA at risk ✓ 2,114 rule hits suppressed by reachability — no exploit path, no report → olydi fix FINDING-77e3 opens a gate-verified PR

Governed velocity

A verified fix beats a suggested one.

Quick fixes hand you a suggestion to validate. This is a pull request your own CI already passed — bounded, readable, and waiting on your approval, not your labor.

How it works

Signed fix artifact

olydi/fix-auth-throttle

ready for review
4 files 12 tests 7m 42s CI
@@ app/auth/verify.ts:38
  const body = credentialSchema.parse(await req.json());
- const ok = await password.verify(body.password, account.hash);
+ await limiter.consume(requestIp, LOGIN_POLICY);
+ const ok = await password.verify(body.password, account.hash);
+ await audit.append(evidencePacket(finding.id));
  if (!ok) return reject(401);
$340K ΔEBITDA at risk$0 residual after merge

Evidence attached

control-family mapped; signature: ed25519 91f4e2a0

See the evidence

Do not trust a claim. Inspect the artifact.

A reachable finding becomes a fix PR, clears the gate wall, and emits signed evidence that verifies closed after merge. Open any stage and read it.

See a fix
findingapp/auth/verify.tsFINDING-77e3

task

Add rate limiting before credential verification

pr #301
  1. finding
  2. safe
  3. sealed
unit suiteroute smokegate wall
$340K ΔEBITDA at risk$0 residual after merge

evidence packet

ed25519 91f4e2a0 / control-family mapped / verified closed
The evidence packet attached to PR #301. Every merge produces one.

The difference

Everyone finds. OLYDI prices, merges, and proves.

Priced in dollars

Every reachable finding carries its ΔEBITDA at risk — what leaving it open costs. Severity you can take to a budget conversation.

No-Exploit, No-Report

Reachability plus EPSS and KEV plus taint proof suppress noise by construction. If we can't show you the path, we don't page you.

Merged, not suggested

Scanner quick-fixes hand you a suggestion to validate. OLYDI opens a PR that's already green — you review a change that's ready.

Proof as a by-product

Every merge leaves an evidence packet an auditor can open, plus a rescan that confirms closure. Your audit trail builds itself while you ship.

The gate wall

Every change clears ~125 gates (manifest-counted).

91 security and 35 QA gate families, plus your authoritative CI, run before a change asks for review. The deterministic floor always wins: a model can lower a verdict, never raise one.

Walk the gate wall
sastsecretsreachabilitytaintscasupply-chainiaccspmapi-contractruntime-ebpffuzzunitroute-smokevisuala11yperf

final = min(deterministic_floor, llm_verdict)

A slice of the wall. The full set is manifest-counted and drifts with the catalog.

Agent-native

Route your coding agent through OLYDI.

Claude Code, Cursor, and Codex sessions call OLYDI over MCP: they list your findings, ask why a risk matters, check gate state, and request fixes. Every governed call is policy-evaluated, dollar-priced, and recorded to an immutable audit trail before it runs.

MCP and IDE docs
list_findingsexplain_riskcheck_gate_statecreate_fix_request

Four governed tools. Policy decides before the call runs; the audit trail records it either way.

For security leadership, compliance, and portfolios.

  • Scan is free. Clearing it is paid.
  • Remediation throughput at volume lives on valty.ai.
  • For security leadership: valty.ai.