EDITH
Start

Getting started

Connect GitHub, run your first scan, read the score, copy a fix prompt. Five minutes.

5 min read5 sections

Install the EDITH GitHub App

Sign in to EDITH at app.edith.expert/signin with your GitHub account. Click Install on a repository in the onboarding flow.

EDITH requests read-only access — we never write to your repo or open PRs you didn't approve. You can revoke access in one click from your GitHub settings.

Heads up: EDITH currently scans up to 400 files per repo. Larger codebases are batched.

Run your first scan

Open the EDITH dashboard, pick the repo you just connected, and click Scan now. EDITH fetches the latest commit on the default branch, builds an in-memory ts-morph project, and runs all 151 deterministic checks plus the AI-pattern checker.

Median scan time is 60 seconds. p95 is around 4 minutes for repos near the 400-file cap.

Read the EDITH score

Every scan produces three scores:

  • EDITH score — weighted across all 6 dimensions, the headline number on the dashboard.
  • Test score — heavily penalised by critical findings; reflects production readiness.
  • Debt score — total finding count normalised; reflects long-term codebase health.

Below the score, findings group by dimension (Security, Performance, Reliability, Data Safety, Business Logic, Deploy Ready) and severity (critical, high, medium, low).

Copy a fix prompt

Each finding has a Copy fix prompt button. The clipboard receives a precise, scoped prompt with the file, line, the pattern that broke, and the acceptance criteria.

Paste the prompt into Cursor / Claude Code / Copilot / Windsurf. Review the patch. Commit. EDITH re-scans automatically on push.

markdown
# EDITH fix prompt — Stripe webhook signature verification
Issue: api/webhooks/stripe.ts:12 — handler reads req.json() and
       trusts the body. An attacker can fake events.

Fix: Use stripe.webhooks.constructEvent() with the stripe-signature
header and STRIPE_WEBHOOK_SECRET. Reject anything that fails
verification.

Acceptance:
- A request without a valid signature returns 400
- The handler runs on the verified event object
- Add an idempotency check before applying side effects

Where to go next

  • Browse Scanner checks to see every rule EDITH runs
  • Install the Browser extension to audit pages live in DevTools
  • Wire up GitHub webhooks so every push triggers a scan
  • Read the Compliance docs if you need audit-ready evidence
NextScanner checks
Related
Scanner checks
12 min
GitHub webhooks
4 min
Browser extension
5 min