How It Works
Batou runs as a Claude Code hook on every file write and edit:Batou scans
The hook sends the file content to the Batou engine, which runs pattern-based and semantic rules against the code.
Findings evaluated
Each finding is scored by confidence (how likely it is a real issue) and classified with a CWE identifier.
Decision made
Based on your organization’s thresholds, the finding either blocks the write (PreToolUse) or warns inline (PostToolUse).
Where to Configure
Go to Agentic Security > Software Security (/security/software) and select the SAST tab.
Blocking Presets
Blocking presets control when Batou blocks a write vs. warns. Presets are based on confidence tiers:| Tier | Description |
|---|---|
| Highest | Near-certain issues only — minimal friction |
| High | High-confidence findings block, others warn |
| Medium | Moderate and above confidence findings block |
| Low | Most findings block — maximum protection |
Disabling Rules
From the SAST tab, expand any rule to see its details and toggle it off. Disabled rules are skipped during scans across all agents in your organization.Finding Lifecycle
Every Batou finding has a lifecycle status that tracks its resolution:| Status | Meaning |
|---|---|
| Active | Finding is present in the current code and unresolved |
| Blocked | Finding triggered a block — the write was prevented |
| Fixed | Finding was present but has been resolved in a subsequent edit |
| Suppressed | Developer marked the finding as acceptable risk via inline comment |
Inline Suppression
To suppress a finding that is a false positive, add a comment above the flagged line:| Format | Example |
|---|---|
| Single rule | // batou:ignore BATOU-AUTH-011 -- JWT auth is CSRF-immune |
| Category | // batou:ignore injection -- parameterized query used |
| Block | // batou:ignore-start xss … // batou:ignore-end |
Dashboard
The SAST dashboard is available under Monitor > Dashboards and provides several views:Scan Activity
Lines scanned and average scan time over your selected time range. Tracks scanning volume across your organization.Detection Confidence
Distribution of findings by confidence tier, showing how many findings fall into each confidence level. Higher-confidence findings are more likely to be real issues.Top Active Risks
The highest-confidence unresolved findings across your organization, ranked by confidence score. Use this to prioritize remediation.Vulnerability Categories
Breakdown of findings by CWE category (e.g., CWE-79 XSS, CWE-89 SQL Injection), showing which vulnerability classes appear most frequently.Issue Resolution
Tracks finding lifecycle over time — how many findings are Active, Fixed, Suppressed, or Blocked. Use this to measure your organization’s remediation velocity.Supported Languages
Batou scans files based on their extension. Currently supported:| Language | Extensions |
|---|---|
| JavaScript | .js, .jsx, .mjs, .cjs |
| TypeScript | .ts, .tsx |
| Python | .py |
| Go | .go |
| Java | .java |
| Ruby | .rb |
| PHP | .php |
| Shell | .sh, .bash, .zsh |
Claude Code Integration
Batou integrates with Claude Code via hooks configured automatically by the Turen agent. No developer setup is needed. The agent registers hooks on two event types:- PreToolUse — Scans before the write is applied. Can block the write if a finding exceeds the confidence threshold.
- PostToolUse — Scans after the write is applied. Provides hints to Claude Code about findings that didn’t meet the blocking threshold.