Cognium is a code verification tool for AI-generated code. It analyzes code written by GitHub Copilot, Cursor, Claude Code, and other AI assistants to ensure it's safe and matches your intent.

Does Cognium upload my code?

No. The CLI scanner runs locally on your machine. The GitHub Action runs in your CI/CD pipeline. Your code never leaves your infrastructure unless you explicitly use our cloud scanning service.

spec.md
# Authentication
Must validate JWT
Must rate-limit

trust_score
✓ Dependencies: 92
✓ Semantic: 89
✓ Spec match: 91

analysis.log
Scanning repo...
✓ 47 files analyzed
Score: 87/100

→ Gap Report
→ PDF Export
→ Audit Trail

Verify AI-generated code
before it ships.

Your AI coding assistant writes code. Cognium proves it's safe. Semantic analysis catches what pattern matching misses.

Install as a GitHub Action, use our CLI scanner, or try it right now — no signup required.

Scan a repo → GitHub Action →

75% CVE detection · CWE-Bench-Java

3.3× better than CodeQL · same dataset

0 false positives · OWASP Benchmark

23,691 agent skills scanned · 120 revoked

How It Works

One sentence → Trust score

Declare your intent in plain English. Cognium compares your code against that intent using semantic analysis. You get a trust score (0-100) and a detailed report.

1

Write your intent

"Add Stripe payment retry logic for failed transactions"

spec.md

2

Cognium analyzes

5 parallel analyzers: dependencies, patterns, semantics, behavior, spec compliance

3

Get your report

Trust score + gap analysis + shareable PDF. Ready for PR review or audit.

92/100

What's a Specifica spec?

It's a simple markdown file (spec.md) where you declare what your code should do in plain English. Think of it as a contract between your intent and the AI's output. Cognium diffs your code against this spec to find gaps.

Learn more about Specifica →

Trust Engine

We prove what agents did.

Your AI coding assistant generated code. Did it follow your intent? Did it introduce vulnerabilities? Did it match your spec? The Trust Engine answers these questions with deterministic proof — not probabilistic guessing.

Multiple parallel analyzers

Dependency, code pattern, semantic, behavioral, and spec compliance — running simultaneously.

Intent augmentation

State what you need in one sentence. Cognium reads your code, understands what exists, and shows you the gap between your intent and your reality.

Every source type, one engine

Custom code, ecosystem MCPs, community skills, and LLM-generated — all scanned the same way.

# .github/workflows/cognium.yml

name: Cognium Trust Check

on: [pull_request]

jobs:

cognium:

runs-on: ubuntu-latest

steps:

- uses: cogniumhq/cognium-action@v1

One YAML file. Every PR gets a trust score comment. No signup required.

View on GitHub →

Skill Registry

We also scan agent skills.

runics.net

Beyond your code, we scan the skills your agents discover at runtime. Every skill in the registry is trust-scored. Malicious skills are revoked. Your agents only see what's safe to use. Available at runics.net.

Your private skills are your IP

Private skills registered by your organization are weighted higher and prioritized in your agents' queries. Your internal capabilities always surface first — and never leak to the public registry.

Explore runics.net →

Orchestrator

Enterprise? We've got orchestration.

For larger teams, we provide full release orchestration with trust-gated approvals. Start at L1 (manual gates), progress to L2 (approve-by-exception), earn L3 (autonomous deployment). Your risk committee gets compliance artifacts as a pipeline byproduct.

Note: Most developers don't need this. If you're a team of <10 and just want to verify AI-generated code, stick with the GitHub Action or CLI scanner.

L1 · Manual

L3 · Auto

01

Spec Validation

Specifica spec parsed and verified against PR scope

→ PR #418: "Add Stripe webhook handler"

L1

02

Dependency Scan

All imported packages and MCP servers trust-scored

→ stripe@14.2.0 ✓ · @auth/mcp-oauth ✓

L1

03

Semantic Analysis

Agent-generated code diffed against spec intent

→ webhook handler writes to DB not in spec ⚠

L1

04

Behavioral Verification

Runtime behavior matches declared API scope

→ No outbound calls beyond Stripe API ✓

L2

05

Compliance Check

PCI-DSS and regulatory alignment verified

→ No raw card data in logs ✓ · Audit trail ✓

L2

06

Release Decision

Trust score 91 — exceeds threshold, merge to main

→ Deployed to staging → production in 4m 12s

L3

Proof

Benchmarked. Tested. Verifiable.

Trust Score: 0–100

A single score for every component. Machines consume it at runtime. Humans read it in the audit trail.

Untrusted

0–39

Significant findings. Advisory warnings.

Community

40–59

No spec. Some findings. Use with caution.

Inferred

60–84

Clean scan. Partial or no spec match.

Verified

85–100

Code matches spec. All analyzers passed.

Revoked

—

Critical severity. Permanently excluded.

33% of MCP servers have critical CVEs — Enkrypt AI

26% of 31K skills have ≥1 flaw — arXiv

1,184 malicious ClawHub skills — Antiy CERT

LIVE · RUNICS.NET

The largest agent skill audit.

23,691

Skills Indexed

3 sources

~10,000

Scanned by Cognium

42% coverage

120

Revoked

Trust zeroed · search excluded

3,479

Perfect Score

100/100 trust

Source Safety

ClawHub 7,452 scanned · 96.7% clean

GitHub 1,081 scanned · 99.2% clean

MCP Registry 959 scanned · 99.7% clean

Ecosystem Coverage

Entity	Scanned	Method
Cognium	~10,000 skills	SAST + LLM
BlueRock	7,000 MCP servers	SSRF only
Enkrypt AI	1,000 MCP servers	CVE scan

Note: Cognium scans agent skills; others scan MCP servers. Different attack surfaces.

3 sync pipelines on cron. The registry grows while you read this page.

Try it now. No signup required.

Scan any public GitHub repository in seconds. Get a trust score, detailed findings, and a shareable PDF report.

Try the scanner → Talk to us

Verify AI-generated codebefore it ships.