Orchestrate AI agents.
In total security.
Runs locally.
The platform for developers who won't compromise on security or data sovereignty. Connect GitHub or GitLab, build your workflow, let the agent ship in hardened containers you control.
// workflows
Build the workflow your team actually follows.
Define your own steps, control which tools the agent can use at each one, set custom prompts per step, and decide exactly when human review is required. From quick patches to multi-phase feature delivery. Your call.
// integrations
GitHub and GitLab. Your issues, our agent.
Browse issues directly from the dashboard. The agent picks one up, analyzes it, executes the changes, and opens a merge or pull request. No copy-pasting, no manual handoff. Blocker relationships are respected: linked issues unblock automatically when their dependency closes.
// security
Security powered by ysa.
Open source, auditable.
Every container runs on ysa, the open source container runtime we built specifically for AI agents, Apache 2.0. A MITM proxy sits between the agent and the internet: GET-only in strict mode, domain allowlist, rate limits. Exfiltrating your code or credentials is made extremely difficult, even if the agent is instructed to. Keys are encrypted at rest and injected only at runtime.
// team
Organization-ready from day one.
Invite teammates, assign projects, manage roles. Tool presets and custom workflows are shared across your org so every team member runs the same guardrails.
// faq
Common questions
ysa stands for your secure agent, a name that reflects the two things we care about most: that the agent works for you, on your machine, with your code. And that security isn't optional.
No. The agent runs in Podman containers on your machine or your own server. Your codebase stays where it is. The only external calls are to the LLM API (using your own key) and to GitHub or GitLab for issue fetching and MR/PR creation, both of which you already trust with your code.
There are two kinds of keys. Integration tokens (for issue sources like GitHub or GitLab) are stored encrypted in the workspace database and used only to fetch issues. AI provider keys (Anthropic, Mistral) are configured directly on the agent and never stored on or sent to the server. The server never calls the LLM API. The agent running on your machine does, using your key directly.
No. Each issue gets an isolated git worktree on a dedicated branch. The agent works in complete isolation from your main branch. Nothing merges without you reviewing and approving the MR or PR. A git wrapper inside the container also strips dangerous git config options (hooks, SSH proxy, credential helpers) to prevent abuse.
ysa is the open source container runtime for AI agents: the security backbone. Hardened Podman containers, MITM network proxy, seccomp profiles, CLI and a clean API. It stays focused on that one job. ysa workspace is the open source orchestration layer built on top: issue workflow automation, GitHub and GitLab integration, customizable workflows, and team management. Both are open source. All container security comes from ysa.
Claude (Anthropic) and Mistral today, with multiple models available for each. You configure the provider and model per project. Support for self-hosted and local models is on the roadmap.
Yes, it's already running on real production codebases. The security model is solid. The product surface is still evolving: expect fast iteration and occasional rough edges. Open an issue or PR on GitHub if you hit something.
A web application works the same whether you're running locally or hosting on a VPS for your team. Open a browser, you're in. Team members can access a shared instance without installing anything. Single codebase, runs everywhere.
// open source
Both layers are open source.
Read every line.
ysa workspace is open source and self-hostable. The security backbone it runs on, ysa, is open source too. Read the seccomp profile, the MITM proxy, the OCI hooks. Fork it. Deploy it. Own it.