open source · self-hosted · apache-2.0

One sweep across your whole stack.

Not another scanner — the great free ones already exist. An aggregator that lives on your box: it runs the sweeps, collects every finding into one pile per app, and opens the fix PRs. Your keys never leave home.

dockerkubernetes

1. runcopy

docker compose up

2. connectcopy

./connect github --org youruser

see it in action

stacksweep

> sweep --all

semgrep · 4 repos 12.1s

trivy · deps + images 9.8s

prowler · aws 41.2s

marketing-site 13 findings 2 critical

side-project-api 4 findings

recipe-api all clear

✓ fix PR opened — lodash.merge prototype pollution

stacksweep

features

one view, whole stack

Your repo's CVEs and your S3 misconfigs in the same list, under the same app. Code, dependencies, containers, cloud — one pile.

your keys never leave

Self-hosted, no telemetry, no SaaS. Source and cloud credentials stay on your box. That's the point.

it opens the fix

Findings with a code-shaped fix get a drafted PR. Review, merge, move on.

by app, not by tool

Ten dashboards become one. Every finding lands under the app it belongs to, ranked by what's actually on fire.

standards-native

Anything that speaks OCSF or SARIF plugs in with zero integration work. Vendor APIs are small connector jobs.

quiet by design

Deduped, severity-sorted, noise suppressed. Accept a risk with a reason and it stays quiet.