Features

Reachability first. Policy second. Noise last.

Arbor focuses on the security evidence reviewers can actually verify: reachable call paths, sensitive surfaces with category classification, required proof before merge, and known limitations where the engine acknowledges uncertainty.

The core engine is deterministic — graph analysis, call-path reachability, and weighted evidence scoring. No LLM in the analysis path.

Capabilities

Built for the security review bottleneck AI created.

Arbor does not try to be another all-purpose reviewer. It is the deterministic evidence layer for PRs that touch security-critical paths.

Reachable security paths

Trace from production entrypoints through changed symbols into sensitive sinks. Arbor proves whether risk is reachable from application code.

Entry -> service -> sink pathsKnown limitations shownNo prose-only verdicts

Policy-grade risk

Correctness, security, reliability, and maintainability signals feed an evidence model, then collapse into the merge decision your team configured.

Gate / review / advisory / passConfidence and abstentionHuman proof requirements

Security blast radius

See which auth, payment, PII, webhook, database, network, and secrets paths depend on the PR before it merges.

Policy gates

Configure monitor, review-required, or blocking behavior for critical reachable paths via repo policy.

Evidence packets

Every finding carries the call path, changed surface, sensitive sink, required proof, and known limitations.

Honest uncertainty

When dynamic imports or unresolved graph edges reduce confidence, Arbor marks the limitation and routes to human review.

Compliance trail

Store PR evidence to show auditors what was reviewed, which policy fired, and what unblocked the merge.

Entrypoint detection

Detect HTTP routes, API handlers, webhooks, and cron jobs across common web stacks before graph walking starts.

21 evidence signals

Signals carry reliability weights, freshness, and confidence intervals instead of pretending every hint is equal.

Suggested proof

Auth owner approval, payment integration tests, DB review, monitoring plans, and manual review where evidence is incomplete.

How it compares

Use scanners and reviewers. Add Arbor where they are structurally blind.

The honest positioning: Arbor complements CodeRabbit, Copilot reviews, Snyk, Semgrep, and SonarQube by answering the reachability question they often leave to humans.

Question

Arbor

LLM PR reviewers

SAST / SCA scanners

Manual review

Primary question

Is this security path reachable from code that changed?

Does the diff look suspicious?

Does a rule or CVE match this file/dependency?

Can the reviewer infer the impact in time?

Best at

PR-time reachability, blast radius, and policy evidence

Summaries, naming issues, obvious local mistakes

Broad rule coverage and known-vulnerability inventory

Business context and judgment calls

Failure mode

Unknown edges become explicit review requirements

Confident prose can hide missing context

Alert backlogs and weak prioritization

Senior review capacity becomes the bottleneck

Output

Call paths, surfaces, verdict, required proof

Comments and suggested patches

Findings, severities, and rule IDs

Approval, questions, or tribal knowledge

Security model

10 surfaces. 4 verdicts. Structural evidence.

Every PR is analyzed against a deterministic security surface taxonomy with evidence-based verdicts.

Sensitive surfaces

Verdict levels

GATE≥ 0.9

High-centrality security code modified. Requires security team sign-off.

REVIEW≥ 0.6

Reachable security paths detected. Manual review by code owner.

ADVISORY≥ 0.3

Proximity to sensitive code. Informational evidence provided.

PASS< 0.3

No high-priority reachable security path detected. Evidence packet still shows limitations.

Analysis pipeline

PR Webhook

GitHub event

Parse Code

AST analysis

Build Graph

call paths

Walk Paths

reachability

Score Risk

4D fusion

Verdict

Policy

PR Comment

Evidence

Why Arbor

Scanners flag. LLMs speculate. Arbor proves.

The missing layer between noisy static analysis and vague AI suggestions: structural proof that a PR creates a reachable security path.

Reachability proofYes

ArborGraph walk proves path exists

OthersPattern match or LLM prose

Security blast radiusYes

Arbor10 surface categories across auth, payment, PII, DB, secrets, session, crypto, network, validation, permissions

OthersFile-level severity labels

Policy-grade outputYes

ArborRequired proof before merge — gate, review, advisory, pass

Partial

OthersAdvisory comments only

Deterministic analysisYes

ArborTree-sitter + petgraph. Same code = same verdict, every time

OthersLLM-generated suggestions. Different runs, different results

Honest uncertaintyYes

ArborUnknown evidence → route to human review instead of green-lighting

OthersGaps hidden or silently ignored

AI-code velocityYes

ArborDesigned for teams where AI output exceeds human review capacity

Partial

OthersRetrofitted scanning not built for PR volume

Language support

14 languages. Real AST parsing.

Syntax-accurate parsing for every supported language. The graph is built from actual function definitions, call sites, and imports.

TypeScript.ts .tsx

JavaScript.js .jsx

Python.py

Rust.rs

Go.go

Java.java

C#.cs

Ruby.rb

PHP.php

Swift.swift

Kotlin.kt

C / C++.c .cpp .h

Scala.scalabeta

Elixir.ex .exsbeta

Framework-aware entry points

Next.jsTypeScript

App Router, Pages API, Middleware

ExpressJavaScript

Route handlers, Middleware chains

FastAPIPython

Endpoint decorators, Dependencies

SpringJava

Controllers, REST resources

AxumRust

Handlers, Extractors, Layers

Gin / EchoGo

Handler funcs, Group routing

Every language uses a dedicated grammar for precise AST parsing. No regex, no line-level matching, no heuristics.

PR comment UI

The comment is evidence, not theater.

Arbor posts the reachable paths, sensitive surfaces, required proof, and limitations in the place reviewers already make the merge decision.

arbor-securitybot commented just now

Block only when path is reachable

Arbor separates reachable risk from noisy static findings. A vulnerability in dead code is noise; one reachable from POST /checkout is a gate.

Reviewer-ready evidence

Every finding names the exact route, the sensitive sink, each hop in the call path, and the specific action required before merge.

Honest uncertainty

Dynamic imports, reflection, and unresolved edges become limitations in the comment, not hidden gaps or false green lights.

Open source core

The graph engine is open. Inspect what Arbor sees.

Parsing and graph construction are open-source Rust crates. Read the code, run it locally, verify the call graph.

arbor-coreLanguage parsing for 14 languages

crate

arbor-graphCall graph engine + reachability analysis

crate

MIT licensedUse it in your own tooling

license

View on GitHub

example.rs

1use arbor_graph::ArborGraph;
2
3// Parse the repository into a call graphlet graph = ArborGraph::from_directory("./src")?;
4
5// Walk upstream from a changed functionlet impact = graph.analyze_impact(node_id, 5);
6
7// Every caller, callee, and transitive pathfor upstream in &impact.upstream {    println!("{} → {} ({} hops)",        upstream.node_info.name,        upstream.node_info.file,        upstream.hop_distance,    );}

RustUTF-8 | LF

Reachability first. Policy second. Noise last.

The core engine is deterministic — graph analysis, call-path reachability, and weighted evidence scoring. No LLM in the analysis path.

1use arbor_graph::ArborGraph; 2 3// Parse the repository into a call graphlet graph = ArborGraph::from_directory("./src")?; 4 5// Walk upstream from a changed functionlet impact = graph.analyze_impact(node_id, 5); 6 7// Every caller, callee, and transitive pathfor upstream in &impact.upstream { println!("{} → {} ({} hops)", upstream.node_info.name, upstream.node_info.file, upstream.hop_distance, );}