CODATUS

A repo goes public. The internet notices in 6 minutes.
You don't.

Codatus watches the controls on your GitHub org: visibility, branch protection, required checks, reviewers, bypass actors, secret scanning. It alerts the moment one changes.

Launching at $99/month, early users locked in at that rate.

Where does the 6 minutes come from? We flipped 75 repos public with AWS keys inside.
The blind spot

GitHub logs the change. It tells no one.

GitHub records every one of these changes in its audit log, and notifies no one. A repo can go public, branch protection can come off, a required check can be dropped, all silently. Nothing lands in your inbox.

The enterprise tools that catch this exist. But they assume a security team to run them, and a budget to match. Free tools catch pieces of this.

But for the team too big to leave its repos unwatched and too small for enterprise security tooling, nothing watches the whole surface, turnkey.

The alert feed

Every silent change becomes a message.

codatus · org alerts LIVE
Critical
payments-api went public: visibility changed private → public
by @rhea.okafor · 02:14 UTC · #security
High
Branch protection removed from main on billing-service
by @t.mills · 09:47 UTC · #security
High
Required status checks removed on infra-terraform: merges no longer gated
by @devops-svc · 14:02 UTC · #security
High
Required reviewers dropped 2 → 0 on auth-gateway
by @s.haldar · 11:23 UTC · #security
Critical
@deploy-bot added as bypass actor on the main ruleset of mobile-app
by @j.fenwick · 16:38 UTC · #security
High
Push protection disabled on data-pipeline
by @k.novak · 08:05 UTC · #security
How it works

Three steps, then you stop watching.

  1. 1Install the read-only GitHub App on your org.
  2. 2Choose where alerts go: Slack or email.
  3. 3Done. The next time a control changes, you hear about it in the moment.
One plan
$99/month per org
  • All six signals
  • Slack and email routing
  • Org-wide coverage

Launching at $99/month. Early users locked in at that rate.