v0.1 · GitHub App

RepoWave

Static audits and draft autofix PRs for Python, FastAPI, GitHub Actions, and Docker repositories.

Install from GitHub Marketplace View paid audit offer
Review surface Findings are posted on the pushed commit.
Guardrail secrets/, .env, Terraform, auth, and security paths are excluded.
Workflow RepoWave opens draft PRs. It does not self-merge.
Plans Free for public repos. Paid plans add private repos and draft autofix PRs.
Workflow

From install to draft PR.

RepoWave keeps the loop short: Marketplace install in, GitHub webhook in, static analysis out, and a draft PR only for allow-listed changes.

01

Install from GitHub Marketplace

Open the approved Marketplace listing, then choose all repositories or a selected set.

02

Push code

A signed webhook schedules a scan for that commit.

03

Review findings on the commit

Findings include rule, severity, file, line, and message.

04

Review the draft PR

Only formatting and import-order fixes can create a PR.

Coverage

Repository checks.

Rules cover the parts of a Python service repo that commonly drift during normal development. RepoWave is intentionally narrower than broad SAST suites, and stronger at the conservative Python/FastAPI lane it claims.

Python

Dead code, blocking calls in async code, missing HTTP timeouts, logging hygiene, and Pydantic compatibility.

FastAPI

Untyped returns, missing response models, and route handlers that do too much directly.

GitHub Actions

Unpinned actions, missing permission blocks, and unsafe workflow patterns.

Docker

Root containers, missing health checks, and common Dockerfile quality issues.

Paid audit report

Repo Health Audit: $750 fixed scope.

For teams that want a one-time repo cleanup plan before installing another recurring tool, RepoWave turns scan output into a short, prioritized engineering report and starts with a prefilled request email.

What you get

  • One Python/FastAPI repository reviewed across code, tests, GitHub Actions, and Docker.
  • Prioritized findings grouped by severity, effort, and near-term cleanup value.
  • Three safe pull-request candidates called out for immediate follow-up.
  • Markdown report delivered within five business days after repository access is confirmed.
  • A structured intake email prompt that captures repository URL, branch, deadline, and primary concern.

Fixed-scope terms

  • $750 for one repository and one default branch.
  • Best fit: Python, FastAPI, GitHub Actions, and Docker repositories.
  • Source is reviewed for the audit and not retained after delivery.
  • Additional repositories, migrations, or implementation work are scoped separately.
  • Reply with the repository URL and the default branch to get the audit started.
View paid audit offer Read docs

Include the repository URL, default branch, deadline, and primary concern when you reply so the audit can be scoped quickly.

Positioning

Built for teams that do not need another noisy dashboard.

Top Marketplace tools win by being easy to install, clear about pricing, and trustworthy about security. RepoWave matches that buying checklist while staying focused on auditable Python repository hygiene.

RepoWave

  • Python, FastAPI, GitHub Actions, and Docker checks
  • Commit comments on every scanned SHA
  • Draft autofix PRs only for formatting and import order
  • No source-code persistence after scan completion
  • Marketplace-native billing and plan enforcement

Broad scanners

  • Many languages and security categories
  • Central dashboards and alert queues
  • More coverage, more configuration, and more triage
  • Best when AppSec breadth matters more than conservative PR automation
Safety policy

Autofix limits.

The allow-list lives in core/security/autofix_gate.py. Only formatting and import order categories produce PRs. Security, secrets, deployment, migration, CI permissions, Terraform, auth, and .env paths stay advisory.

You can read the entire safety boundary in the docs.

Trust

Marketplace-ready operating details.

Buyers expect documentation, privacy, support, status, and pricing to be one click away. RepoWave keeps those surfaces explicit.

Data handling

Repository source is fetched for analysis and deleted after the scan. Finding metadata is retained for 90 days.

Privacy policy

Support and security

Support runs through support@repowave.dev. Security reports use the SECURITY: subject prefix.

Support page

Documentation

Install, scan behavior, autofix boundaries, uninstall, limits, and troubleshooting are documented in one place.

Read docs

Status

The health endpoint is public and returns a minimal readiness response for uptime monitoring.

Health check
Pricing

Plans.

Public repositories can scan for free. Paid plans are priced by private repository capacity so small Python teams do not have to buy a broad per-developer AppSec platform.

Free

$0/month

For public repositories that want continuous scanning without auto-remediation.

  • Public repositories only
  • All scan rules included
  • Commit comments and PR review comments
  • No auto-fix PRs
Solo

$12/month

For one private Python service that needs safe GitHub-native hygiene.

  • One private repository included
  • Draft autofix PRs for supported rules
  • Commit comments on every scanned SHA
  • Same hardcoded safety denylist
Pro

$29/month

For maintainers with a handful of private Python/FastAPI repositories.

  • Five private repositories included
  • Draft autofix PRs for supported rules
  • Commit comments on every scanned SHA
  • Same hardcoded safety denylist
Team

$69/month

For small teams with several private repositories under one GitHub organization.

  • Everything in Pro
  • Fifteen private repositories included
  • Organization-level Marketplace billing
  • Prioritized support
Scale

$149/month

For larger Python repo fleets that still want conservative automation.

  • Fifty private repositories included
  • Draft autofix PRs for supported rules
  • Priority support
  • Custom rollout guidance
Choose a plan in GitHub Marketplace Ask about rollout
FAQ

Before you add RepoWave.

Is this a Snyk, Semgrep, Codacy, or SonarQube replacement?

No. RepoWave is not a broad AppSec suite. It is a narrow, conservative GitHub App for Python/FastAPI repository hygiene and safe mechanical autofix PRs.

Will RepoWave change production code automatically?

No. Paid plans can open draft PRs, but RepoWave never self-merges and never edits denied paths like secrets, auth, Terraform, migrations, or .env.

How fast is setup?

Install from the approved Marketplace listing, pick repositories, then push. There is no YAML file, CI runner, or token rotation required.