Start scan
Run a real scan on your AI-built app.
Paste a GitHub URL or upload a ZIP — that's all a scan needs. Everything else is optional.
Scan a live site for free
Every account includes 2 free scans. No email verification during the beta — just an email and a password.
URL scans need no account. Sign up only when you want the exact fix prompts or source-code scanning.
Checking your session…
What will be checked
- Gitleaks secret scan
- npm audit dependency scan
- Semgrep code security scan
- Live site: security headers, exposed .env/.git, CORS
- Live JS bundles: secrets baked in at build time
- Live database exposure test (Supabase/Firebase)
- Package reputation: typosquats and install scripts
- AI app risks: exposed keys, unprotected LLM endpoints
- Stripe webhook and payment checks
- Next.js auth and admin route checks
- Known framework CVEs (e.g. Next.js middleware bypass)
- IDOR: routes that expose other users' data
- Deployment, privacy, and cookie basics