Compare

GHAS flags patterns.
Snyk checks deps.
Arbor proves paths.

The question every other tool leaves unanswered: does this specific PR — this diff — actually reach your payment API, your auth system, your secrets store? Arbor walks the call graph and shows you the path. Or tells you honestly when it can't.

GitHub Advanced Security

Great for known CVE patterns and CodeQL rules.
Doesn't model your application call graph.

Snyk

Best-in-class for vulnerable dependencies.
Reachability limited to SCA, not your code.

LLM Review

Useful for style and obvious bugs.
Can't walk the actual graph. Guesses at reachability.

Arbor vs. the alternatives

GHAS flags patterns. Snyk checks deps. Arbor proves paths.

GitHub Advanced Security is great for known CVEs and CodeQL rules. Snyk catches vulnerable packages. LLMs write PR comments. None of them can tell you whether a changed function is reachable from your checkout API into your payment sink. Arbor can.

Capability	Arbor	GHAS	Snyk	LLM review
Reachability proof	Graph walk from diff to security sink — provable path	Pattern + CodeQL rule match; no call-path to sink	Reachability on SCA deps only, not your application code	Infers paths from prose; can't walk the actual graph
PR-time analysis	Posted as PR comment + commit status gate in < 30s	Code scanning runs on PR; results posted inline	PR checks on open/push	AI review agents run on PR diff
Security blast radius	10 surface categories: auth, payment, PII, DB, secrets…	Findings at file/line level; surface category not modeled	Vuln database match; blast-radius not computed	Guesses based on function names and comments
Deterministic output	Tree-sitter + petgraph; same code = same result, always	CodeQL is deterministic; rule changes affect output	DB-driven; deterministic per DB version	Temperature > 0 means the same diff gets different verdicts
Honest uncertainty	Dynamic imports → explicit limitations + human review routing	Missed findings are silent; no 'unknown' state exposed	No finding = silent pass, not an explicit abstention	Confident prose even when graph context is unavailable
Policy gates (block / review)	Configurable via .arbor/security.yml; gate or require proof	Branch protection can block on code scanning alerts	Fail-on-high supported for dependencies	Advisory comments only; no structured policy output
AI-generated code ready	Built for AI-velocity — higher output, same graph walk	Works, but rules don't scale to generated-code patterns	SCA works; SAST rules not tuned for generated output	Reviewing AI code with AI compounds the hallucination risk
Zero LLMs in analysis	Graph + evidence model. No prompt, no API call to an LLM.	CodeQL is query-based; no generative model	DeepCode / Snyk Code uses ML; Snyk Open Source does not	LLM is the product; every verdict goes through one

8/8

full support

3/8

full support

2/8

full support

1/8

full support

GHAS and Arbor are complementary, not competing.

Keep GHAS for CVE alerts and CodeQL rules. Add Arbor for reachability proof on your own application code. They answer different questions. Together they cover the full surface.

Read the docs

Free for public repos

See it on your own repo

Install takes 2 minutes. Arbor posts on the next PR — no config required for public repos. If the call graph shows nothing of interest, you'll know that too.

Install free Read the docs

GHAS flags patterns.
Snyk checks deps.
Arbor proves paths.

GitHub Advanced Security

Great for known CVE patterns and CodeQL rules.
Doesn't model your application call graph.

Snyk

Best-in-class for vulnerable dependencies.
Reachability limited to SCA, not your code.

LLM Review

Useful for style and obvious bugs.
Can't walk the actual graph. Guesses at reachability.

Capability

Arbor

GHAS

Snyk

LLM review

Reachability proof

Graph walk from diff to security sink — provable path

Pattern + CodeQL rule match; no call-path to sink

Reachability on SCA deps only, not your application code

Infers paths from prose; can't walk the actual graph

PR-time analysis

Posted as PR comment + commit status gate in < 30s

Code scanning runs on PR; results posted inline

PR checks on open/push

AI review agents run on PR diff

Security blast radius

10 surface categories: auth, payment, PII, DB, secrets…

Findings at file/line level; surface category not modeled

Vuln database match; blast-radius not computed

Guesses based on function names and comments

Deterministic output

Tree-sitter + petgraph; same code = same result, always

CodeQL is deterministic; rule changes affect output

DB-driven; deterministic per DB version

Temperature > 0 means the same diff gets different verdicts

Honest uncertainty

Dynamic imports → explicit limitations + human review routing

Missed findings are silent; no 'unknown' state exposed

No finding = silent pass, not an explicit abstention

Confident prose even when graph context is unavailable

Policy gates (block / review)

Configurable via .arbor/security.yml; gate or require proof

Branch protection can block on code scanning alerts

Fail-on-high supported for dependencies

Advisory comments only; no structured policy output

AI-generated code ready

Built for AI-velocity — higher output, same graph walk

Works, but rules don't scale to generated-code patterns

SCA works; SAST rules not tuned for generated output

Reviewing AI code with AI compounds the hallucination risk

Zero LLMs in analysis

Graph + evidence model. No prompt, no API call to an LLM.

CodeQL is query-based; no generative model

DeepCode / Snyk Code uses ML; Snyk Open Source does not

LLM is the product; every verdict goes through one

GHAS flags patterns.Snyk checks deps.Arbor proves paths.

GHAS flags patterns. Snyk checks deps. Arbor proves paths.

See it on your own repo

GHAS flags patterns.Snyk checks deps.Arbor proves paths.

GHAS flags patterns. Snyk checks deps. Arbor proves paths.

See it on your own repo

GHAS flags patterns.
Snyk checks deps.
Arbor proves paths.

GHAS flags patterns.
Snyk checks deps.
Arbor proves paths.