I like the idea of this, but in a way it seems like going on to a website to enter your password to see if it was involved in any leaks. And that makes me uneasy.
A system like this would be so much better if all the scanning was done locally, keeping the source private from leaking at all.
Thanks for commenting, and totally get your perspective on it.
Scanning today can be done locally with many tools like Semgrep before you use Corgea. We do send over vulnerability information over to Corgea to make sure we can issue fixes for them reliably and at-scale. Keep in mind repos have vulnerabilities in the thousands or even tens of thousands. So it's not as simple as copilot running on your IDE reading your current likes of code. We have to be able to do this at-scale.
Finally, we've put a lot of effort into securing things down and you can read some of those details here: https://docs.corgea.app/security
A system like this would be so much better if all the scanning was done locally, keeping the source private from leaking at all.