---
title: "Nothing merges until security says yes"
description: "Ara scans every change for vulnerable dependencies and leaked secrets, drafts the fix in an isolated workspace, and holds remediation behind your approval."
url: "https://ara.so/product/security"
section: "Automations"
---

# Nothing merges until security says yes

Ara scans every change for vulnerable dependencies and leaked secrets, drafts the fix in an isolated workspace, and holds remediation behind your approval.

## Every change reviewed before it lands

### Dependency scan

Vulnerable and outdated packages are flagged on every run, with a pinned upgrade proposed.

### Secret scanning

Leaked keys and tokens are caught in the diff before they reach the default branch.

### Gated remediation

Ara writes the fix but holds — nothing applies until a named reviewer approves.

## From signal to gated pull request

### Detect on every run

Ara scans dependencies, secrets, and the diff as part of each run. No separate pipeline to wire up.

_Signal_

### Reproduce, then draft the fix

It confirms the vulnerability in an isolated workspace, writes the patch, and records a transcript of what it found.

_Verified fix_

### Gate behind approval

The pull request carries the finding, the fix, and the evidence. A human approves before anything merges.

_Pull request_

## Security review on autopilot, with a human at the gate

Ara scans every change, drafts the fix, and waits for your approval. Verified remediation, full audit trail, nothing merged without a yes.
