Arko - DevSecOps IDE Reasoning Copilot
Arko is a DevSecOps reasoning engine built directly into VS Code and Cursor, with enterprise visibility and compliance alignment.
Traditional security tools rely on static rules and pattern matching. They generate findings without understanding system architecture, implemented controls, or regulatory context.
Arko takes a different approach.
It reasons about your application as you build it - mapping architecture, endpoints, authentication flows, data movement, AI components, agents, user roles, and external integrations. It evaluates real attack surface, validates implemented controls, and aligns findings with compliance and security requirements.
Arko connects development, security, and governance in one continuous workflow.
How It Works
1. Scan
Click "Run Security Scan" in the sidebar. Arko analyses your project files (respecting .gitignore and exclude patterns).
2. Architectural Reasoning & Control Analysis
A multi-stage AI pipeline:
- Maps endpoints, trust boundaries, and data flows
- Identifies authentication and access control patterns
- Detects application-layer vulnerabilities
- Identifies DevSecOps anti-patterns
- Builds a contextual threat model
- Evaluates exploitability based on architecture
- Detects implemented and missing security controls
3. Prioritise and Fix in Flow
Results appear directly in your IDE with:
- A Hackability Score (0-100)
- Architecture-aware threat explanations
- Exploitability-based prioritisation
- Plain-language remediation guidance
- "Check with AI" prompts for fixing without leaving your editor
4. Enterprise Dashboard & Policy Alignment
Findings, controls, and threat models are synchronised to the Arko enterprise dashboard, where teams can:
- View project-level security posture
- Assign and enforce security policies
- Track control implementation across repositories
- Map technical findings to compliance requirements
- Generate structured reports for security and governance teams
What Makes Arko Different
Traditional security tools:
- Focus on static rule matching
- Surface isolated vulnerabilities
- Provide limited architectural awareness
- Treat compliance as external documentation
Arko:
- Builds contextual understanding of your system
- Maps real attack paths across components
- Validates implemented security controls
- Detects modern AI-native risks (prompt injection, model poisoning, exposed secrets, insecure agent workflows)
- Prioritises findings based on exploitability
- Maps technical findings to security and regulatory domains
- Connects IDE analysis to an enterprise compliance dashboard
Arko functions as a security architect inside the IDE, with governance visibility at the enterprise layer.
Core Capabilities
- Hackability Score - A real-time 0-100 score representing overall system exposure, updating as posture improves.
- Architectural Threat Modelling - AI-generated threat models specific to your stack, architecture, and integrations.
- Security Control Validation - Detection of implemented and missing security controls across authentication, input validation, encryption, access control, logging, and DevSecOps workflows.
- Application & DevSecOps Risk Detection - Identification of vulnerabilities and DevSecOps anti-patterns with contextual severity.
- AI-Native Risk Detection - Detection of modern AI system risks including prompt injection, model poisoning, exposed API keys, and insecure LLM integrations.
- Exploitability-Based Prioritisation - Findings ranked based on realistic attack feasibility within your architecture.
- Compliance & Regulatory Mapping - Mapping of controls and findings to security requirements and regulatory domains, supporting secure SDLC, data protection, and AI governance standards.
- Enterprise Dashboard - Centralised visibility across projects to assign policies, track control coverage, monitor posture trends, and generate structured compliance reports.
- Fix in Flow - Generate contextual remediation guidance and pass fixes directly to your AI coding assistant.
- Exportable Reports & Badge - Generate structured security reports and embed your Hackability Score in repositories.
How We Handle Your Code
Transparency is core to Arko.
- Project files are transmitted securely over HTTPS (TLS).
- Full source code is not persisted in our database.
- We store only:
- Vulnerability snippets
- Scan metadata (file counts, timestamps, duration)
- Generated threat models
- Recommendations
- Hackability score history
- Control validation results
- Code submitted via API is not used to train AI models.
- All communication is encrypted in transit and at rest.
Arko does not:
- Sell or share your code.
- Retain full source code after analysis.
- Access your code outside scans you initiate.
Getting Started
- Install the extension from the Marketplace.
- Click the Arko icon in the Activity Bar.
- Sign in with your account (or create one at devsecai.io).
- Open a project and click Run Security Scan.
Configuration
| Setting |
Default |
Description |
devsecai.excludePatterns |
.env*, secrets/**, *.pem, *.key, node_modules/**, .git/** |
Files to exclude from scans |
devsecai.enableDiagnostics |
true |
Show findings in the Problems panel |
Requirements
Privacy & Security
Arko is built by developers, for developers. We understand the sensitivity of sending code to a third-party service, which is why we've designed the system to minimise data retention and maximise transparency. If you have questions about how your data is handled, reach out at info@devsecai.io.
Links
