Kusari Inspector Documentation
All signal, no noise. No chasing or surprises. Just secure code, faster.
Getting started
- Go to the Kusari Inspector GitHub app
- Click “Configure” and select the organization you want to install Inspector for
- Select “All repositories” or “Only select repositories” to enable Inspector for and click “Install & Authorize”
- Click “Authorize kusaridev”
How to use Kusari Inspector
Open a pull request in any repository with Kusari Inspector enabled. Within seconds, you will see a comment from Kusari-Inspector[bot] with a recommendation on whether or not to proceed with the pull request, along with information supporting the recommendation and suggested mitigations. For readability, some content may be collapsed under a “Click to expand for details and specific link to issues” heading.
Kusari Inspector will provide a table of dependency changes and list concerns with licenses, vulnerabilities, workflows, and other issues. When relevant, Kusari Inspector will add comments to specific lines in the pull request with suggested remediations.
Kusari Inspector will re-run when the pull request changes. You can also manually trigger re-analysis with @kusari-inspector rerun comment in your PR.
To let us know if a review was helpful, add a thumbs up or thumbs down reaction to the GitHub comment. If you have more detailed feedback, type @kusari-inspector feedback [your message]. For example:
@kusari-inspector feedback This saved me so much time!
How it works
Kusari Inspector runs a suite of industry-standard tools over changed files in your Pull Request. It then takes those results and does a deep analysis with code context to return a go/no-go recommendation. Regardless of the recommendation, Kusari Inspector provides actionable remediation and improvement suggestions, including comments on specific lines where appropriate.
Kusari Inspector works as a stand-alone SaaS tool and integrates with the Kusari Platform to consolidate project and repository insights while linking source code commits to runtime events.
Supported languages
- Golang (Go) - go.mod, go.sum
- Node.js (NPM) - package-lock.json, yarn.lock
- Python (PyPI) - requirements.txt, poetry.lock, pipfile.lock, uv.lock
- Java (Maven) - pom.xml, gradle.lockfile, buildscript-gradle.lockfile
- Ruby (RubyGems) - gemfile.lock
- Rust (Cargo) - cargo.lock
- HashiCorp Configuration Language (HCL)
Checks
Kusari Inspector checks for:
- Credentials and other secrets
- Typosquatted dependency names
- Common code weaknesses via static analysis
- Direct and transitive dependencies
- Dependencies’ repository security posture
- Software licenses
- Categorized into strong copy left, weak copy left, network copy left and permissive
- Known vulnerabilities, including severity (CVSS), likelihood of exploit (EPSS), and known exploited vulnerabilities
- GitHub workflow security issues
- DockerFile security issues
- Terraform security issues
- Helm Chart security issues
Security and Privacy
We do not store your code in any form. The code in the pull request is analyzed by industry-standard security tools running in Kusari’s cloud infrastructure. The output of those tools, as well as a subset of the code, is sent to the AI model for analysis. Once analysis is completed, all input is deleted. The AI model is not trained on customer code or analysis results. All analysis is done in memory and data is encrypted at rest and in transit. Kusari is SOC2 Type II compliant.
GitHub permissions
Kusari Inspector uses the following GitHub permissions:
- Repository: read access to code and metadata
- Repository: read and write access to checks, issues, and pull requests
- User: read access to email addresses
- User: Read access to public repositories, public organization, information, and public user profile data
FAQs
Pricing
How do you define a developer?
For billing purposes, a “developer” is a non-bot account that has made one or more commits to a private repository with Kusari Inspector enabled within the last 30 days.
How do I get the free 30 days offer?
When you subscribe to the Starter or Enterprise plan, we'll issue you a credit for the first month.
Do you offer enterprise plans?
Absolutely. Our Enterprise plan is designed for larger organizations with complex security and compliance needs. Contact us to discuss your requirements.
Are there rate limits on each plan?
The Free and Starter plans are subject to anomaly detection to identify and prevent abuse. In addition, the model provider places limits on usage which may cause bursts of requests to be queued. Kusari may update rate limit policies in the future, but we will always provide ample advance notice.
Support
What kind of support is included?
All plans include standard support. Enterprise plans receive dedicated support and SLAs.
How do I get support?
Email support@kusari.dev.
Analysis
How does Kusari Inspector determine if something is outside of acceptable risk parameters?
- All vulnerabilities discovered in dependencies are considered outside acceptable risk parameters
- Potential code issues are considered in usage context. For example, potential vulnerabilities in a test suite are considered less important than the same vulnerability in an actively-used code path.
Why did we choose what to check and the criteria for a blocking security issue?
The Kusari Inspector recommendations are based on our team’s experience securing the software supply chain of several large organizations. We focus on evaluating issues in context and removing noise to highlight real issues that impact the security of a software project. Our approach errs on the side of caution; every project or organization will have their own risk appetite and threat model.
What are some examples of Kusari Inspector in action?
- Do not proceed: