Application Code Security

Check your code before it is done by someone who cares more about it

Static source code security analysis (SAST) enhanced with dependency analysis (SCA) and secret scanning. We identify vulnerabilities, configuration errors and potential data leaks – with business context and specific recommendations. Pricing tailored to the size of the project.

Download a sample report

Individual pricing

Price depends on the number of lines of code, programming language and number of repositories. Pricing in 48 hours after submitting the form.

Download a sample report

PROCESS

The problem - why it matters

Every company developing its own software has vulnerabilities in its code that it doesn’t know about. Hardcoded passwords and API keys in repositories, exploited libraries with known CVE vulnerabilities, faulty input validation leading to SQL injection, improper privilege checks, unsecured API endpoints – these are all the most common reasons for successful application attacks. The average time between when a vulnerability is introduced into the code and when it is noticed is more than 200 days; during this time the code goes into production, to customers, to partners.

Traditional code analysis tools are either expensive and complicated (commercial SAST for tens of thousands of euros a year) or free and superficial (pure linter). What’s missing is an intermediate solution – a one-time, comprehensive analysis that tells the company: here are all the risks in your code, here’s their business significance, here’s what to specifically change. We address this gap.

PROCESS

What exactly are we analyzing

The analysis includes three complementary types of scanning, combined into one report – to get a full picture of an application’s risk, not just a fragment.

SAST - static analysis of source code

Scans code for logical vulnerabilities - SQL injection, XSS, CSRF, authorization errors, improper validation, OWASP Top 10 class vulnerabilities. Works at the level of the code itself, without having to run it.

SCA - dependency analysis (Software Composition Analysis)

Inventory all external libraries (npm, pip, maven, composer) used in your application, identifying those with known CVE vulnerabilities. Each vulnerability assessed for real impact on your application - not all CVEs in libraries realistically threaten, context matters.

Secret scanning - detecting secrets in the repository

Scan repository history for accidentally commited passwords, API keys, certificates, tokens. Often key secrets remain in the history even after they are "deleted" in the next commit - Git remembers everything.

Supported languages and ecosystems

JavaScript / TypeScript (Node.js, React, Vue, Angular), Python (Django, Flask, FastAPI), Java (Spring), C# (.NET), PHP (Laravel, Symfony), Ruby (Rails), Go. Other languages - on request.

solution

What you get

Executive Summary Report (management, CTO)

Number of critical and high vulnerabilities found by category, top 5 business risks with PLN conversion (potential penalty, incident cost, impact on SLAs with customers), recommended remediation order.

Technical report (developers, security team)

Full list of all vulnerabilities found with exact location (file, line, code snippet), CVSS 3.1 classification, attack vector description, suggested fix (sample repair code) and links to best practice documentation. Format ready for direct entry into a task tracker (Jira, GitHub Issues).

Delivery format

PDF + interactive view in the customer panel (filtering by file, category, criticality). For larger projects – in addition, export to SARIF format, which can be imported into developer tools.

“File /api/users.py line 142: SQL injection in authenticate() function. Risk: full access to the database. Suggested fix: use parameterized queries – example in the report.”

How does it work?

Process in 4 steps

Pricing (48 hours)

You fill out the “Get in touch” form – specify the repository (or number of lines of code), languages, number of projects. You receive a quote in 48 business hours. Pricing based on the number of lines of code and the time needed for analysis – no hidden costs.

Acceptance and access (1-2 days)

Once you accept the offer, you provide us with read-only access to the repository (GitHub, GitLab, Bitbucket, your own Git server). We sign an NDA if you wish. We never gain access to the production or client environment.

Analysis (24-72 hours)

We run a set of analysis engines. The result is then run through a quality verification layer that eliminates common false positives before delivering the report. The larger the repository, the longer the analysis; we always provide a specific timeframe in the quote.

Report

You get two reports (Executive Summary and Technical) in the client dashboard. The technical report includes, for each finding, context, location (file, line, code snippet), CVSS classification and a suggestion for the direction of the fix – in a format that your development team can directly enter into their tracker (Jira, GitHub Issues).

solution

Individual pricing - what does it depend on?

The price for code analysis is matched to the actual size of the work. The main factors affecting the pricing:

Number of lines of code

The larger the repository, the longer the analysis and verification

Number and type of programming languages

Some require longer engine setup

Number of separate repositories

Each repo is a separate launch and report

Degree of manual verification required

Whether the report is to be in the standard version or with additional verification on our side

You will receive a concrete quote within 48 hours of filling out the request form – no hidden costs, no phone call at this stage.

Who this service is for

Application Code Security is aimed primarily at companies that develop their own software – software houses, tech startups, IT departments of larger companies building internal tools. Particularly recommended before the public deployment of a new application, before ISO 27001 or SOC 2 verification, before an investment round (when the investor’s tech due diligence department will ask about code quality), or after a security incident when you want to rule out similar vulnerabilities in other projects.

It is also often ordered as part of the onboarding process of an external developer or after taking over a project from a previous supplier – in which case the report provides an objective “technology debt map” and helps plan the first months of work.

Frequently Asked Questions (FAQ)

Do I need to share full production access with you?

No. Read-only access to a code repository (GitHub, GitLab, Bitbucket or ZIP export) is sufficient. We never need access to production, client databases or the running application environment. Our analysis is 100% static.

Can I have the analysis done without sharing the code, such as the compiled application itself?

No. Reliable static analysis requires access to source code – without it, you can only do “outside” testing, which is a separate service (Cyber Monitoring and Scanning or manual pentest). In case access to the code is a barrier, we sign an NDA before any exchange of details.

Do you sign an NDA before receiving the code?

Yes, upon any request. We have our own NDA template, but we also accept customers’ templates (after standard legal verification from our side, usually within 1 business day). The whole process of gaining access is preceded by signing an NDA, if you wish.

What if you find a critical vulnerability in code used in production?

We communicate critical vulnerabilities immediately – we do not wait for the end of the analysis. You get an initial briefing with a description of the vulnerability and an urgent recommendation for action before we generate a full report. Our role is to help you respond quickly, not generate dramatic reports after the fact.

Do you provide a specific repair code or just a description of the problem?

For each critical and high vulnerability in the report, you will find an example of a fix – a code snippet showing how to fix the problem (with a note that you need to fit it into the structure of your application). For medium and low vulnerabilities, we provide a description of the problem, best practices and a link to documentation.

Is the report useful for investor due diligence?

Yes. The report directly addresses questions asked by tech due diligence departments of VC funds and strategic investors. We have repeatedly encountered situations where our clients have included the Ragnar Shield report as an attachment to the data room – this shows the investor that the company is consciously managing technology risk.

Limitations of the service (disclaimer)

Static analysis has limitations. It detects a much larger proportion of vulnerabilities than no analysis, but not all – especially logic errors, vulnerabilities requiring specific runtime context, configuration problems in production. False positives and false negatives are possible. For a complete assessment of application security, we recommend supplementing with manual penetration testing. Full range of limitations described in the Terms of Service.

offer

Packages and related services

Application Code Security is most often ordered together with:

Cyber Monitoring & Scanning

249,00 zł

Comprehensive diagnosis: technology + people

Verification of Regulatory Compliance

499,00 zł

Checks the company’s obligations as a result of detected leaks

Manual Penetration Tests

Supplement static analysis with runtime test

Let's check your code together

Quote in 48 hours. NDA upon request.

Read-only access.