Shifting security left is hard to operationalize at scale - especially with a small security team. Every team reinventing its own CI pipeline integration leads to inconsistent coverage and blind spots that slip into production.

Layne is how Rocket.Chat's security team scales appsec without scaling headcount. It's a GitHub App that centralizes Semgrep (SAST), Trufflehog (secret detection), and Claude across repositories - without touching a single workflow file. Every pull request gets scanned in parallel, with results surfacing as native GitHub Check Run annotations that block merges on high-severity findings.

We'll cover the architecture, the lessons learned deploying it at Rocket.Chat, and an honest take on where LLMs genuinely add value in a security pipeline.

https://github.com/RocketChat/layne