Bugcrawl vs Delimit

Bug scanners find issues. Delimit signs the merge. Here is the architecture-level difference and how to use both together.

Three differences that don't close

Bugcrawl is Anthropic's 10-parallel-agent repository scanner inside Claude Code. It surfaces issues. The three things below are architecturally outside of what a single-vendor scanner can produce.

Capability	Bugcrawl	Delimit
Cross-vendor neutrality Anthropic checks Anthropic. Independent governance is a structural ceiling on a vendor-bundled scanner.	Claude Code only	Claude, Codex, Cursor, Copilot, future
Decision-not-finding Findings are advisory. Delimit produces a go/no-go merge decision with evidence attached.	List of issues	Pass / fail merge gate
External-consumable artifact Auditors, LPs, and underwriters need an artifact they can cite. Workflow output isn't enough.	Inline UI / chat	Signed, replayable JSON attestation
Multi-model adjudication record Disagreement preservation across heterogeneous vendors is part of the evidence trail.	Single-vendor agents	Per-model verdicts + dissent capture
Interop with other scanners	N/A	Bugcrawl, Snyk, Semgrep, CodeQL ingested as gate signals

Proof asset

Here is a real signed deliberation attestation — the same structure Delimit produces around AI-assisted merges. This one captures the strategic deliberation that produced this battlecard, including a captured dissent on the Pro-tier framing.

attestation_idatt_bd959bf7daf719d6

subject_idSTR-190 (Bugcrawl response)

panel6 models · 2 rounds · 1 dissent captured

verifiesid ✓ · signature ✓ · transcript_hash ✓

replay_urihttps://delimit.ai/att/att_bd959bf7daf719d6

The signed JSON is committable, replayable, and tamper-evident. A scanner's output cannot be — that's the architectural delta.

Use both together

Bugcrawl, Snyk, Semgrep, and CodeQL findings flow into Delimit as pluggable scanner inputs. Their issue lists become gate signals; Delimit signs the merge decision that consumes them.

1. Scanner runs

Bugcrawl (or any scanner) emits findings via webhook. Delimit ingests them as upstream evidence.

2. Multi-model adjudicates

Heterogeneous models reach independent verdicts. Dissents are first-class data, not lost.

3. Delimit signs the merge

Pass/fail decision + scanner evidence + adjudication record + signature, all in one attestation.

"We already have Bugcrawl"

That's the input. The signed merge decision and the auditable record across all your AI assistants (not just Claude) is a different layer — and it's the layer a third-party reviewer asks to see. Delimit ingests Bugcrawl findings; it doesn't replace them.

See it on a real PR — the artifact above replays in your browser.

Pricing & install