A merge gate built from graph evidence.
Arbor converts a PR into a security evidence packet using deterministic graph analysis. The pipeline runs in under 15 seconds: analyze the changed code, build the call graph, trace reachable paths, score evidence, and post the verdict.
No LLMs. No pattern matching. Just the call graph and the paths through it.
From diff to security gate in four steps.
10 surfaces. 4 verdicts. Structural evidence.
Every PR is analyzed against a deterministic security surface taxonomy with evidence-based verdicts.
High-centrality security code modified. Requires security team sign-off.
Reachable security paths detected. Manual review by code owner.
Proximity to sensitive code. Informational evidence provided.
No high-priority reachable security path detected. Evidence packet still shows limitations.
The comment is evidence, not theater.
Arbor posts the reachable paths, sensitive surfaces, required proof, and limitations in the place reviewers already make the merge decision.
Block only when path is reachable
Arbor separates reachable risk from noisy static findings. A vulnerability in dead code is noise; one reachable from POST /checkout is a gate.
Reviewer-ready evidence
Every finding names the exact route, the sensitive sink, each hop in the call path, and the specific action required before merge.
Honest uncertainty
Dynamic imports, reflection, and unresolved edges become limitations in the comment, not hidden gaps or false green lights.
14 languages. Real AST parsing.
Syntax-accurate parsing for every supported language. The graph is built from actual function definitions, call sites, and imports.