Start scan

Run a real scan on your AI-built app.

Paste a GitHub URL or upload a ZIP — that's all a scan needs. Everything else is optional.

Real backend scan

Scan a live site for free

Every account includes 2 free scans. No email verification during the beta — just an email and a password.

URL scans need no account. Sign up only when you want the exact fix prompts or source-code scanning.

Checking your session…

What will be checked

  • Gitleaks secret scan
  • npm audit dependency scan
  • Semgrep code security scan
  • Live site: security headers, exposed .env/.git, CORS
  • Live JS bundles: secrets baked in at build time
  • Live database exposure test (Supabase/Firebase)
  • Package reputation: typosquats and install scripts
  • AI app risks: exposed keys, unprotected LLM endpoints
  • Stripe webhook and payment checks
  • Next.js auth and admin route checks
  • Known framework CVEs (e.g. Next.js middleware bypass)
  • IDOR: routes that expose other users' data
  • Deployment, privacy, and cookie basics