act101 online

The AI-Code Health Score for the repos your agent writes.

One score, two halves — Security + Architecture — GitHub-native, free for public repos.

Free for public repos · one free scan per private repo · we'll email your results and occasional tips · unsubscribe in one click. Privacy.

Continue to GitHub →

The score

One grade. Two halves.

Your AI-Code Health Score rolls up into a single letter grade, then drills down into the two halves that decide whether agent-written code is shippable.

Security

Will it leak or get exploited?

  • Hardcoded credentials & secrets
  • Injection / taint flows — SQLi, XSS
  • Unsafe & dangerous surface
  • Plus the uniquely-AI detections (below)
Architecture

Will it rot under you?

  • God files & runaway modules
  • Circular dependencies
  • Dead code
  • Coupling & layering violations

The structural rot that SAST tools miss — scored alongside the security findings, not in a separate silo.

★ AI-specific

The findings nobody else ships.

Agents write code in ways humans don't — and break things humans wouldn't. These six detectors target the failure modes that only show up when an AI is the author.

.cursorrules / AI-config backdoor

Hidden Unicode and injected directives smuggled into agent config files.

★ MCP-config RCE

.mcp.json and MCP server configs — the CVE-2025-59944 class of remote code execution.

★ Frontend secret leak

Secrets exposed behind NEXT_PUBLIC_ / VITE_ / REACT_APP_ / EXPO_PUBLIC_; Supabase service_role used client-side.

★ Insecure defaults

CORS *, verify=False / rejectUnauthorized:false, JWT alg:none.

★ Permissive datastore rules

Firebase/Firestore allow …: if true; Supabase RLS USING (true).

★ Risky infra / CI

Dockerfile runs as root; GitHub Actions permissions: write-all / pull_request_target.

How it runs

GitHub-native, on your infrastructure.

The scan runs on your GitHub Actions runner. Results land where your team already works: a PR comment, a Check Run, and SARIF that flows into code-scanning alerts and Copilot Autofix.

act101 NEVER ships your code off-site. We ship only opt-in usage metrics. Your code never leaves the GitHub Actions runner — findings come back as a PR comment, a Check Run, and SARIF that flows into code-scanning alerts and Copilot Autofix. For public repos, the published health score powers the badge and the leaderboard (opt out with arena: false); leaderboard players opt in at CLI onboarding to upload usage counters only — never code, never file paths, never repo contents. How we measure →

act101 never authors the edit. Findings come back as a PR comment + Check Run + SARIF → code-scanning alerts → Copilot Autofix. The remediation stays in your hands.

+ fix. act101's MCP wired into the Copilot coding agent for grounded remediation — the agent fixes against real structural context, not a guess.

Pricing

Free where it should be. Paid where it scales.

Public repos are free forever, plus one free scan per private repo. Paid plans are priced by private-repo count — every tier runs the full analysis; bands are scale only, never a feature ladder. + fix adds act101's MCP inside the Copilot coding agent for grounded remediation.

Plan Private repos Monthly Annual 2 mo free
Free · public unlimited + 1 free private scan$0
online · Solo≤ 5$29$290
online · Team≤ 25$99$990
online · Business≤ 100$199$1,990
online · Scale≤ 500$499$4,990
+ fix · Solo≤ 5$59$590
+ fix · Team≤ 25$199$1,990
+ fix · Business≤ 100$399$3,990
+ fix · Scale≤ 500$999$9,990
Enterprise> 500Contact us

All prices USD · Free + 8 self-serve plans billed through GitHub Marketplace · Enterprise (> 500 repos) billed direct by invoice. + fix is a strict superset of online — upgrade is a plan change, no second install.

Install on GitHub Marketplace →

Scan your repo free

Get your AI-Code Health Score — Security + Architecture in one grade. Free for public repos.

Scan your repo free

Stay in the loop

Ship notes and new capabilities, occasionally. No spam; unsubscribe anytime.