Startup Embeds AI Security Analysis in Dev Workflow
Kusari, a software supply chain security startup, has launched Kusari Inspector, an AI-powered tool that delivers security insights and go/no-go recommendations directly within GitHub pull requests.
With the tool, Kusari aims to help developers identify and fix security vulnerabilities before code is merged, addressing the growing challenge of supply chain attacks that have increased 156% year over year, the company said.
Shifting Security Left in the Development Workflow
Rather than relegating security concerns to late-stage reviews or post-deployment audits, Kusari Inspector brings what the company calls an “extend left” (as opposed to “shift left”) approach to supply chain security. When developers open a pull request, the tool automatically examines changed files and analyzes the full dependency graph, including transitive dependencies, to uncover potential security issues.
“Kusari Inspector puts robust security insights right where developers need them: in their pull requests,” said Tim Miller, CEO and co-founder at Kusari, in a statement. “The recommendations come from Kusari’s analysis of the full dependency graph, including security practices and code provenance, so the result is always actionable — there’s no worry about ‘AI slop.’ By catching vulnerabilities and risky dependencies early, teams can move faster and ship more secure code.”
Moreover, nearly 80% of the average application’s code now comes from open source dependencies, while companies have limited control over what goes into their software, Miller said. Meanwhile, regulatory pressure is mounting from initiatives like Europe’s Cyber Resilience Act and increasing requirements from enterprise customers.
Beyond Traditional Scanning Tools
What differentiates Kusari Inspector from other security scanning tools is its approach to AI integration. Rather than simply throwing a large language model (LLM) at source code, the tool first runs established security scans, including Static Application Security Testing (SAST), secret scanning and dependency analysis. The AI then synthesizes these results to filter out noise and prioritize genuine security threats.
“We think that our sort of dependency analysis is second to none,” said Michael Lieberman, CTO and co-founder of Kusari, during a recent interview. “We have a good understanding of transitive dependencies. So, not just like a lot of the existing scanning tools will just sort of say, ‘Hey, you have an issue because you’re including log4j.’ But when you look at your Maven POM [Project Object Model] file, it’s actually not listed there, right? It’s because you’re using Spring or something like that.”
This context-aware approach helps developers understand not just what the security issue is, but why it matters in their specific codebase, Lieberman said. For example, the tool can distinguish between a SQL injection vulnerability in production code versus test code, prioritizing the former while still flagging the latter for future attention.
Addressing Alert Fatigue
A key challenge the tool aims to solve is security alert fatigue, Lieberman told The New Stack. Traditional security tools often overwhelm developers with hundreds or thousands of findings, making it difficult to identify which issues require immediate attention.
“When everything is seemingly a priority, then nothing becomes a priority when it comes to fixing the actual issues,” Lieberman noted. “Way too many of the tools today just slam you with a million different things.”
Kusari Inspector provides clear go/no-go recommendations with specific remediation guidance, he said. The tool can detect exposed credentials, insecure GitHub workflows, dependencies with poor security posture, typosquatted packages and common code weaknesses. Results appear as comments directly on pull requests, allowing developers to address issues within their existing workflow.
Interactive AI Capabilities
Beyond static analysis, Kusari Inspector includes interactive features that enable developers to chat with the AI model to clarify findings, ask questions or provide feedback. This conversational aspect helps developers who may not be security experts understand the context and importance of the findings.
The tool also automatically generates software bill of materials (SBOM) data for connected projects and repositories, supporting compliance requirements and supply chain transparency initiatives, Lieberman said.
Company Background and Market Context
Kusari was founded in 2022 by three cybersecurity experts with backgrounds in financial technology and government contracting. The founders previously worked at organizations including Bridgewater Associates, UBS, Citi and Raytheon, where they built custom security solutions for enterprise environments.
Companies such as CodeRabbit, SonarQube and Aikido Security are competitors or potential competitors of Kusari. The company name, Kusari, means “chain” in Japanese, Lieberman said, emphasizing the company’s goal of securing the software supply chain.
Kusari is heavily involved in open source security initiatives, with Lieberman serving as an elected member of the governing board for the Open Source Security Foundation (OpenSSF). Kusari maintains key projects, including OpenSSF’s Graph for Understanding Artifact Composition (GUAC).
“We are heavily involved in open source, which is why we are so familiar with how open source works and what the risks are there,” Lieberman explained.
Availability and Pricing
Kusari Inspector is now generally available for GitHub repositories with a 30-day free trial. After the trial period, the tool is priced at $10 per seat per month. The company plans to expand support to other source code management platforms (including GitLab) and integrate findings directly into developer IDEs.
For enterprise customers, Kusari offers a more comprehensive platform that can tie individual findings to organizational dependencies and relationships across teams and projects.
