Skip to content

Frequently asked questions

How the agent works, what it finds, and how it keeps your AI-built app secure — straight answers.

Getting started

What is Opviva?
Opviva is a security agent you talk to. You describe what you shipped, in plain language, or paste your live app's URL — the agent scans your app and code, proves each real vulnerability by reproducing it, opens the fix as a pull request, and keeps watching after launch. No dashboards to configure.
Who is Opviva for?
Founders, indie hackers, and teams shipping apps quickly with AI coding tools who don't have a dedicated security person. If you built something real and want an agent that finds and fixes the security gaps for you, Opviva is for you.
How do I get started?
Paste your app's URL on the homepage for a free instant security grade — no signup. Then connect your GitHub repo so the agent can read your code, prove deeper vulnerabilities, and start opening fixes.
Is there a free option?
Yes — the instant URL scan and grade are free, no signup. Connecting a repo so the agent can run the full deep scan, open fixes, and watch continuously is on a paid plan. See the Pricing page for current plans and limits.
Does Opviva have a referral program?
Yes — refer-and-earn gives both you and the person you invite 500 free credits once they make their first qualifying purchase. You share your referral link from your dashboard; the bonus is credited after a short hold to keep it fair.

How the agent works

What does it mean that Opviva is "an agent you talk to"?
Instead of configuring scanners and reading dashboards, you tell the agent what you shipped in plain language, or hand it a URL. It plans the scan, runs it, proves what it finds, and opens the fix — the way you'd hand a task to a security engineer, not operate a tool.
How does the agent prove a vulnerability is real, not a guess?
It reproduces the exploit. For an IDOR it actually retrieves another test user's data; for SSRF it confirms your server called a URL it controls. Every step is recorded on a tamper-evident Evidence Canvas you can review, so you see proof, not a maybe.
What is the Evidence Canvas?
It's the record of everything the agent did: what it tried, what it proved, and what it fixed, captured in a hash-chained, reconstructable trail. It's how the agent shows its work instead of asking you to trust a score.
Can the agent tell me what my own AI coding agents did?
Yes. Opviva can capture what an AI agent in your stack was prompted, which tools it called, what data it touched, and the outcome, in that same tamper-evident timeline. It answers "what did our agent actually do?", which rules like the EU AI Act's Article 12 increasingly require teams to be able to prove. It's live: one line of SDK (TypeScript or Python) starts recording.

Scanning

What does the free URL scan check?
It's the entry point: paste a URL and the agent runs a fast, outside-in check of what your live site serves — security headers, exposed files, TLS, and secrets visible in your front-end bundle (like an exposed Supabase service_role key) — then returns a 0–100 score and a letter grade in seconds. Connecting your repo lets it go much further with deep code and dependency scanning.
What's the difference between the free scan and the connected deep scan?
The free scan only sees your app from the outside. Once connected, the agent reads your code to reason about how data flows and where authorization is missing, catching logic and access-control bugs a URL scan can't see.
What is the authenticated deep scan?
With two test accounts you provide, the agent dynamically proves real vulnerabilities instead of guessing at them. It covers IDOR, privilege escalation, SSRF, and SQL injection, and every finding is verified, so there's almost no false-positive noise.
Does Opviva produce a lot of false positives?
No — that's the whole point of proving instead of guessing. Each serious finding is confirmed by the agent dynamically reproducing it, such as actually reading another user's data or making the server call a URL it controls. If it can't be proven, it isn't reported as confirmed.
What is the attack-surface (EASM) scan?
The agent discovers your subdomains from public certificate-transparency logs, then checks them for exposed config/secret files and subdomain takeover, only on domains you've verified you own.
What is the RLS test?
If you use Supabase, the agent checks your Row-Level Security using only your public anon key and read-only requests, exactly what an attacker has, to see what data could be read without logging in.

The bugs it finds

What is an IDOR?
Insecure Direct Object Reference — when one user can access another user's data by changing an id in a request (e.g. /orders/123 → /orders/124). It's one of the most common serious bugs in fast-built apps. The agent proves it by actually retrieving another test user's private data.
What is privilege escalation?
When a low-privilege user can perform an admin-only action because the server doesn't check their role. The agent proves it by having a regular test account successfully call a privileged endpoint.
What is SSRF?
Server-Side Request Forgery — when user input makes your server fetch a URL an attacker chooses, which can reach internal systems or cloud metadata. The agent proves it out-of-band by confirming your server actually called a unique URL it controls.
What is SQL injection?
When user input is concatenated into a database query, letting an attacker read or change your data. The agent confirms it with a time-based test: a payload that makes the database pause, where the response time tracks the injected delay.

Fixes & watching

How does the agent open a fix?
For issues it proves, the agent drafts a fix, runs it past an adversarial review, and opens a pull request. Small, safe fixes can auto-merge; higher-risk ones wait for your one-click approval. Nothing changes without you staying in control.
Will Opviva change my code without asking?
No. Fixes come as pull requests. High-risk changes always wait for your approval before they merge.
Does the agent keep watching after the first scan?
Yes — it re-scans on a schedule, watches your attack surface for anything new, monitors uptime, and can run an instant fix-it-now pass for an emergency. That continuous watch is backed by the Monitoring Guarantee.

Security & privacy

Is it safe to connect my repository?
The agent uses GitHub's app permissions and reads code to find issues; every fix it drafts is proposed as a reviewable pull request. Secrets and test credentials are encrypted at rest and never logged.
Do you store my source code?
No. The agent reads your code to scan it, then the code is dropped — we never store your source.
Will scanning break or slow down my app?
Scans are rate-limited and read-leaning — the agent doesn't run destructive tests, brute-force, or floods. The authenticated scan only ever runs against domains you've verified you own.
Do you only scan apps I own?
Yes. Active scanning requires you to verify domain ownership first (a DNS record or hosted file), so the agent can never be pointed at a target you don't control.
What is the Secured by Opviva trust badge?
An embeddable badge that shows your app's live security grade and links back to Opviva. It's social proof for your users and free distribution for you, tied to a public status page.
What is an Opviva security attestation (Trust Proof)?
When your app passes, Opviva issues a cryptographically signed attestation — a shareable public proof page that shows your live grade and exactly what was checked, signed with Ed25519 so it can't be forged or faked. Send it to customers, investors, or partners as verifiable proof your app was independently security-checked. If something regresses it's automatically re-verified, and it can be revoked, so the proof always reflects reality rather than a one-time snapshot.
How does Opviva access my cloud and infrastructure safely?
With zero standing access. Opviva holds no long-lived keys to your cloud. When the agent needs to act on your infrastructure it mints a short-lived, narrowly-scoped credential for that one task through a just-in-time capability broker, and it expires the moment the task is done. Anything state-changing or destructive still waits for your explicit one-click approval, so the agent can never quietly hold the keys to your systems.

Still have a question?

Ask the agent in the corner, or email support@opviva.com.