What BrassCoders Paid's Enrichment Actually Does
The OSS core finds everything; the Paid plan ranks it. BrassCoders Paid cuts a typical 1500+ raw findings to a focused 50-80, for $12 per developer per month.
BrassCoders runs 12 scanners and emits the union of their findings — 1500 or more on a typical real codebase. Every one of those is found by the free OSS core. The problem a paid plan solves was never detection; it’s that 1500 findings is more than anyone reads every scan. BrassCoders Paid ranks the pile down to the 50-80 that matter, for $12 per developer per month.
Detection Is Free; Ranking Is the Paid Part
BrassCoders finds every bug at the free level — all 12 scanners, no caps, Apache 2.0, zero outbound network calls. The Paid plan adds no detectors and keeps no rules behind the paywall; the scan that runs on a free install and a paid install finds the identical set of bugs.
What Paid adds is a ranking pass. There is one paid plan at one price, and what it changes is the shape of the output: from a long unordered list to a short ordered one. If your raw scan is already small enough to read, the OSS core is the whole product. If it isn’t, the ranking is what you’re buying.
The Funnel: 1500 to 300 to 50-80
BrassCoders narrows a scan in two stages, and only the second one is paid. The OSS core runs a heuristic deduplication that takes a typical 1500+ raw findings down to roughly 300 — collapsing the obvious repeats a 12-scanner union produces when several engines flag the same line.
The Paid enrichment is the second stage. It runs a semantic deduplication and a relevance ranking that take those ~300 down to a focused 50-80, ordered by how much each finding matters to your specific project. The detection didn’t change between 1500 and 50-80; the noise did. You read the 50-80 instead of triaging the 1500.
What Actually Gets Sent
BrassCoders Paid sends two things to its hosted gateway, and neither is your code. The first is the findings themselves, already redacted at the scanner — locations and types, with secret and PII values stripped before they ever leave the machine. The second is a project signature: up to 7,500 characters of non-sensitive metadata pulled from your README, your dependency manifest, and your top-level filenames.
That’s the whole payload. Raw source code never leaves the machine, on either plan. The redacted secret values never leave it. And the OSS-only path (a free install, or any scan without an active license) makes zero outbound calls at all. The enrichment runs through a hosted embedding model; BrassCoders passes its per-token cost straight through.
How the Ranking Works
The enrichment embeds your findings and your project signature into vectors, then ranks each finding by how semantically close it is to what your project actually is. A SQL injection in the core request path of a payments service ranks at the top; the same pattern in a vendored test fixture ranks far below it. The model isn’t deciding whether a finding is a true bug — that triage stays with your AI assistant — it’s deciding what’s worth your attention first.
The same embedding step powers the semantic deduplication. A 12-scanner union produces clusters of near-duplicate findings that a string match misses: three engines describing one taint flow in three vocabularies. The enrichment recognizes them as one finding and collapses the cluster, which is most of how 300 becomes 50-80.
What It Costs, and What It Doesn’t
BrassCoders Paid is $12 per developer per month and includes 50 million enrichment tokens — roughly 30-50 scans of a real codebase, which covers an active developer running scans through a feature’s worth of work. Topups bill at the upstream API cost with no markup. The pricing principle is straight pass-through: you pay what the embedding work costs, not a margin on it.
One bill stays yours. The YAML BrassCoders produces is meant to be read by your AI assistant — Claude Code, Cursor, Continue — and whatever you spend with Anthropic or OpenAI for that is your own account, not something BrassCoders resells. See pricing for the full breakdown.
Try It
The OSS core is the place to start; add Paid when the raw volume is the bottleneck.
pipx install brasscoders
brasscoders --offline scan # free: all 12 scanners, ~300 after dedup
brasscoders activate <license-key> # then scans rank down to 50-80For the detection side of the product — every scanner that produces those findings in the first place — see what BrassCoders detects.
Frequently Asked Questions
What does the Paid plan add that the OSS core doesn't?
Ranking, not detection. All 12 scanners run identically in the free OSS core. BrassCoders Paid ($12 per developer per month) adds an AI-powered enrichment pass that semantically deduplicates the findings and ranks them against your project's signature, cutting a typical 1500+ raw findings to a focused set of 50-80. The bugs found are the same; the output you read is shorter and ordered.
What gets sent to the BrassCoders gateway?
Already-redacted findings plus a project signature — up to 7,500 characters of non-sensitive metadata drawn from your README, manifest, and top-level filenames. Never raw source code, and never the redacted secret values. The OSS-only path sends nothing at all.
How does the enrichment decide what's important?
It embeds the findings and your project signature as vectors and ranks each finding by semantic relevance to what your project actually is. A finding in a core module of a payments service ranks above the same finding in a vendored test fixture. The semantic deduplication also collapses the near-duplicate findings a 12-scanner union produces into one.
Is there a markup on the enrichment cost?
No. The Paid plan includes 50 million enrichment tokens per month, enough for roughly 30-50 scans of a real codebase, and topups bill at the upstream API cost with no markup. Your downstream AI assistant (Claude, Cursor) is your own separate bill; BrassCoders doesn't resell it.
Do I have to pay to get good results?
No. The OSS core's heuristic deduplication already reduces a typical scan to roughly 300 findings, which many teams triage fine with their AI assistant. Paid earns its keep when 300 is still too many to read every scan and the ranking saves more than $12/month of attention. Start free; upgrade when the volume is the bottleneck.