RSOLV Is Live: Test-First AI Security for GitHub Actions
Today, we’re launching RSOLV on the GitHub Marketplace.
After watching development teams waste countless hours on false positive security alerts, we built something different: the first AI security engineer that proves vulnerabilities before fixing them.
No guesswork. No false positives. No wasted time.
The Problem: False Positive Fatigue
Security scanners cry wolf. A lot.
You’ve experienced this: Your CI pipeline flags 47 “critical vulnerabilities.” You spend 3 hours meticulously reviewing each one. 43 turn out to be false positives—misidentified non-issues that wasted your time. The 4 real vulnerabilities? They’re added to your backlog, where they drift to the bottom, deprioritized because you’re drowning in noise.
Traditional scanners guess. They pattern-match code and hope they’re right. They can’t prove a vulnerability exists—they just suspect it might. Industry data shows these tools have a 60-80% false positive rate.
AI code generators hallucinate. They’ll confidently “fix” non-existent security issues, introducing bugs while claiming to improve security. Without proof of exploitability, you’re flying blind.
When teams lose trust in security findings, they start ignoring alerts. Real vulnerabilities slip through. Production incidents happen. Customer data gets compromised.
You deserve better.
The Solution: Test-First Security
RSOLV applies Test-Driven Development (TDD) principles to security validation.
Instead of guessing whether code is vulnerable, RSOLV proves it with executable tests. If RSOLV can’t write a failing test that demonstrates the exploit, it doesn’t report the issue.
No test? No report. Simple.
This approach eliminates false positives and gives your team confidence that every security finding is real, exploitable, and worth fixing immediately.
How It Works: The Three-Phase System
RSOLV follows a rigorous three-phase validation process inspired by TDD’s RED-GREEN-REFACTOR cycle:
Phase 1: SCAN - Pattern Detection
The journey starts with detection. RSOLV scans your codebase using 180+ AST-validated security patterns across 29 CWE vulnerability types covering:
- OWASP Top 10: SQL injection, XSS, CSRF, insecure deserialization, security misconfigurations
- SANS Top 25: RCE, path traversal, command injection, cryptographic failures
- Language-specific vulnerabilities: Framework-aware detection for Express, Django, Rails, Spring Boot
Supported languages: JavaScript/TypeScript, Python, Ruby, Java, PHP, Elixir
Unlike regex-based scanners, RSOLV uses Abstract Syntax Tree (AST) analysis to understand code structure and context. When a potential vulnerability is detected, it’s sent to our server-side AST validation layer for quality verification before proceeding to validation.
This is the first layer of our Three-Layer Noise Reduction system: AST Analysis filters out structural false positives before we spend any compute on deeper analysis.
Phase 2: VALIDATE - The Secret Sauce
The second layer of noise reduction is AI Defense Detection: RSOLV’s AI analyzes the surrounding code for existing defenses, input sanitization, WAF configurations, and framework-level protections that render a detected pattern unexploitable. Findings with confirmed defenses are filtered out as counter-indicated, never reaching test generation.
For findings that survive both layers, here’s where RSOLV becomes revolutionary: we generate an executable RED test proving the vulnerability exists – the third layer, Executable Proof.
Let’s see this in action with a real SQL injection example:
Vulnerable code detected:
// Vulnerable: User input directly concatenated into SQL query
app.get('/user/:id', (req, res) => {
const query = `SELECT * FROM users WHERE id = ${req.params.id}`;
db.query(query, (err, result) => res.json(result));
});
RSOLV generates this RED test:
test('SQL injection allows unauthorized data access', async () => {
// Malicious input: SQL injection payload
const maliciousId = "1 OR 1=1";
const response = await request(app).get(`/user/${maliciousId}`);
// Expected: Only user with ID 1
// Actual: ALL users in database (injection successful)
expect(response.body.length).toBe(1); // FAILS ✅ - proves the exploit
});
When you run this test, it fails. The test expects 1 user but gets all users in the database because the SQL injection payload (1 OR 1=1) bypasses the intended query logic.
This failing test is executable proof that an attacker can exploit this vulnerability to extract unauthorized data.
If RSOLV cannot generate a test that demonstrates the exploit, it doesn’t report the finding. Together, these three layers – AST Analysis, AI Defense Detection, and Executable Proof – deliver a 90% validation rate vs. the 20-40% of traditional scanners.
Phase 3: MITIGATE - Automated Remediation
Once RSOLV proves the vulnerability exists, it creates a fix that makes the RED test turn GREEN.
Fixed code:
// Fixed: Parameterized query prevents SQL injection
app.get('/user/:id', (req, res) => {
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [req.params.id], (err, result) => res.json(result));
});
Now when the test runs with the malicious payload:
test('SQL injection allows unauthorized data access', async () => {
const maliciousId = "1 OR 1=1";
const response = await request(app).get(`/user/${maliciousId}`);
expect(response.body.length).toBe(1); // PASSES ✅ - exploit prevented
});
The test passes because the parameterized query treats "1 OR 1=1" as a literal string value, not executable SQL. The database safely searches for a user with ID "1 OR 1=1", finds nothing, and returns 0 results instead of leaking all users.
RSOLV opens a pull request with:
- The RED test (proving the vulnerability)
- The fix (making the test GREEN)
- Educational context: What was vulnerable, why it mattered, how to prevent it in the future
- References: OWASP guidelines, CWE identifiers, framework-specific best practices
Your team reviews the PR like any other code change—but you’re reviewing a proven security fix instead of guessing whether a scanner alert is real.
Architecture: Built for Production
RSOLV launched to production in March 2026, with comprehensive monitoring and reliability infrastructure:
Performance Baselines
| Metric | Target | Monitoring |
|---|---|---|
| API Error Rate | < 1% | Prometheus alerts at 1% (warning), 5% (critical) |
| P95 API Latency | < 1000ms | Real-time tracking with 3000ms critical threshold |
| Database Queries | < 100ms P95 | Connection pool monitoring at 90% utilization |
| Webhook Processing | < 1000ms P95 | Stripe webhook compliance (< 30s response) |
Reliability Infrastructure
- 15 Prometheus alert rules covering API performance, database health, webhook processing
- Real-time Grafana dashboards for observability
- Multi-tier alerting: INFO → WARNING → CRITICAL with escalation paths
- Client-side encryption: Code encrypted before transit, decrypted only in sandboxed memory for analysis
- No code storage: Only vulnerability metadata is retained
Flexible Workflow Modes
RSOLV adapts to your team’s needs with three workflow modes:
Scan Mode (Read-Only)
Perfect for initial evaluation or compliance reporting.
- uses: RSOLV-dev/RSOLV-action@v4
with:
rsolvApiKey: ${{ secrets.RSOLV_API_KEY }}
mode: scan
What happens: Detects vulnerabilities, reports findings in GitHub Actions logs. No PRs created. Great for understanding your security posture without changes to your repo.
Validate Mode (Scan + Tests)
Proves vulnerabilities with executable tests.
- uses: RSOLV-dev/RSOLV-action@v4
with:
rsolvApiKey: ${{ secrets.RSOLV_API_KEY }}
mode: validate
What happens: Detects vulnerabilities, generates RED tests proving exploitability, commits tests to a branch. Your team reviews the tests to confirm findings. No automated fixes yet.
Mitigate Mode (Full Automation)
Complete test-first security automation.
- uses: RSOLV-dev/RSOLV-action@v4
with:
rsolvApiKey: ${{ secrets.RSOLV_API_KEY }}
mode: mitigate
What happens: Detects, validates with RED tests, generates fixes, creates pull requests with full educational context. Your team reviews PRs and merges when ready.
Start with scan mode. Validate findings. Build trust. Upgrade to mitigate when ready.
Real-World Example: E-Commerce Application
Here’s what happened when we ran RSOLV on a production e-commerce application built with Express.js:
Initial scan:
- 12 potential vulnerabilities detected via AST patterns
- 12 sent to server-side AST validation layer
- 9 passed validation (3 filtered as false positives before test generation)
Validation phase:
- 9 RED tests generated
- 9 tests executed successfully
- 7 tests FAILED (proving 7 real vulnerabilities)
- 2 tests passed (legitimate edge cases, not vulnerabilities)
Final results:
- 7 real vulnerabilities confirmed with executable proof
- 0 false positives reported to the development team
- 7 automated PRs created with fixes + educational content
Findings breakdown:
- 3 SQL injection vulnerabilities
- 2 XSS (Cross-Site Scripting) issues
- 1 CSRF (Cross-Site Request Forgery) vulnerability
- 1 insecure session management flaw
Team feedback:
“For the first time, we trusted every security alert. The executable tests proved each finding was real. Our team merged all 7 PRs within 48 hours.”
VALIDATEs consumed: 7 (1 per validated vulnerability). Fixes included at no extra cost.
This is test-first security in action: high precision, zero noise, immediate trust.
Pricing: Pay for Vulnerabilities Found
We believe you should pay for value delivered, not lines of code scanned.
| Plan | Price | VALIDATEs/month | Best For |
|---|---|---|---|
| Free | $0/month | 5 | First-time users, evaluation |
| Pro | $59/month | 25 | Growing companies, continuous scanning |
| Team | $249/month | 100 | Teams with multiple repos |
You pay for proof, not fixes. We charge for VALIDATE (the executable test that proves a vulnerability is real). Once proven, the fix is included free at every tier. Additional validations beyond your plan are $10 each.
How does usage work?
- Scan mode: Unlimited scans on all plans
- Validate mode: 1 VALIDATE per vulnerability proven with RED test
- Mitigate mode: Full pipeline – validation + fix + PR. Fixes are included free.
No surprises: You control usage by choosing your workflow mode. Start with free scan mode to understand your vulnerability count before consuming VALIDATEs.
Try it free: 5 VALIDATEs/month on the Free plan, no credit card required.
Getting Started (3 Steps, 5 Minutes)
Step 1: Get Your API Key
- Visit rsolv.dev
- Sign up with your email (no credit card required)
- Free plan includes 5 VALIDATEs/month
- Copy your API key from the dashboard
Step 2: Add GitHub Secret
- Navigate to your GitHub repo: Settings → Secrets and variables → Actions
- Click New repository secret
- Name:
RSOLV_API_KEY - Value: Your API key from Step 1
- Click Add secret
Step 3: Create Workflow
Create .github/workflows/rsolv.yml:
name: RSOLV Security Scan
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
jobs:
security:
runs-on: ubuntu-latest
permissions:
contents: write
issues: write
pull-requests: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: RSOLV Security Analysis
uses: RSOLV-dev/RSOLV-action@v4
with:
rsolvApiKey: ${{ secrets.RSOLV_API_KEY }}
mode: scan # Start with scan mode
Push to trigger your first scan. Results appear in GitHub Actions logs within 30-60 seconds.
When you’re ready for automated fixes, change mode: scan to mode: mitigate.
Why Test-First Matters
Traditional Scanners ❌
- Report potential issues based on pattern matching
- Cannot prove vulnerabilities are exploitable
- High false positive rate (60-80% in many tools)
- Teams lose trust, start ignoring alerts
- Real vulnerabilities slip through noise
RSOLV ✅
- Proves vulnerabilities with executable tests
- 90% validation rate (no test = no report)
- Builds team confidence in every finding
- Educational: Tests demonstrate exploit scenarios
- Developers understand why code is vulnerable
- Fixes come with prevention guidance
The difference: Traditional tools tell you something might be vulnerable. RSOLV proves it is vulnerable with code you can run.
This changes everything.
Building in Public
We’re building RSOLV in the open and listening closely to early adopters. Our roadmap is driven by real user feedback, not feature checklists. If there’s something you need, we want to hear about it: support@rsolv.dev
Try RSOLV Today
RSOLV is live on the GitHub Marketplace with a generous free trial:
Install: GitHub Marketplace - RSOLV Documentation: GitHub README Support: support@rsolv.dev Community: @rsolv@infosec.exchange (Mastodon)
Start free with 5 VALIDATEs/month. No credit card required.
Run your first scan in 5 minutes. See for yourself why test-first security eliminates false positives.
We’re building this for you. Let us know what you think.
Frequently Asked Questions
Q: How is RSOLV different from Snyk, Dependabot, or GitHub Advanced Security?
RSOLV focuses on custom code vulnerabilities (the code your team writes), not dependency vulnerabilities (third-party packages). Snyk and Dependabot excel at finding vulnerable dependencies—use them together with RSOLV for comprehensive coverage.
GitHub Advanced Security (CodeQL) performs static analysis but doesn’t generate tests proving vulnerabilities. RSOLV’s test-first approach eliminates false positives that CodeQL may report.
Q: What about false negatives? Can RSOLV miss vulnerabilities?
No security tool is perfect. RSOLV’s 180+ patterns across 29 CWE types cover the most common vulnerabilities (OWASP Top 10, SANS Top 25), but we can’t detect every possible vulnerability pattern.
We’re constantly expanding our detection library based on:
- Real-world vulnerabilities found in the wild
- Community-contributed patterns
- CVE database analysis
- Security research publications
Think of RSOLV as high-precision detection: when we report something, it’s highly likely to be real (90% validation rate vs. 20-40% for traditional scanners). We prioritize accuracy over exhaustive coverage.
Q: Does RSOLV work with my test framework?
Yes! RSOLV detects your existing test framework automatically:
- JavaScript/TypeScript: Jest, Vitest, Mocha, Jasmine
- Python: pytest, unittest, nose
- Ruby: RSpec, Minitest
- Java: JUnit, TestNG
- PHP: PHPUnit, Pest (with Laravel and Symfony support)
- Elixir: ExUnit (with Phoenix support)
Generated tests integrate seamlessly with your existing test suite.
Q: What data does RSOLV collect?
We collect:
- Anonymized usage metrics (scan counts, vulnerability counts by type)
- API performance metrics (latency, error rates)
- Aggregated language/framework statistics
We do NOT collect:
- Your source code (encrypted client-side, analyzed in sandboxed memory, not stored)
- Repository names or URLs
- Personally identifiable information (PII)
- Customer data from your applications
Opt-out: Set RSOLV_TELEMETRY=false in workflow environment variables.
Full privacy policy: https://rsolv.dev/privacy
Q: Can I contribute security patterns to RSOLV?
Yes! We’re building a community pattern library. If you’ve identified a common vulnerability pattern that RSOLV doesn’t detect, we want to hear about it.
Contact us: support@rsolv.dev
We’re especially interested in:
- Framework-specific security issues
- Language-specific vulnerability patterns
- Industry-specific compliance requirements (HIPAA, PCI-DSS, etc.)
Q: Is there support for open source projects?
We’re evaluating options for open source sponsorship. If you maintain a high-impact open source project and want to use RSOLV, reach out: opensource@rsolv.dev
In the meantime, the Free plan (5 VALIDATEs/month) works for any project—including open source.
Q: How long do scans take?
Typical scan times (on ubuntu-latest runner):
- Small repo (< 1000 files): 30-60 seconds
- Medium repo (1000-5000 files): 2-4 minutes
- Large repo (5000+ files): 5-10 minutes
Validation (RED test generation): Adds 10-30 seconds per vulnerability found
Mitigation (fix generation): Adds 20-45 seconds per vulnerability fixed
For large repos, consider running RSOLV on pull requests only (not every push) to optimize CI time.
Q: What happens when my VALIDATE budget is exhausted?
RSOLV uses budget-aware scan planning. When your monthly VALIDATEs are used up, RSOLV’s scan still runs and detects findings – you always see what SCAN found. Remaining findings that would require validation are deferred until your budget resets or you add additional validations.
- Scan results always show all detected vulnerabilities
- RSOLV prioritizes the highest-severity findings for your remaining VALIDATEs
- Deferred findings are available for validation when your budget resets next month
You always see what was found, even if you don’t have enough VALIDATEs to prove everything immediately.
Built by: Dylan Fitzgerald (@arubis) Follow: @rsolv@infosec.exchange (Mastodon) Star us: RSOLV-action on GitHub Discuss: GitHub Discussions
Ready to eliminate false positives from your security workflow? Start your free trial →