Scanner Reference

Secret Scanner

Detects 60+ hardcoded API key patterns across all your files — Stripe, Supabase, OpenAI, Paystack, Flutterwave, M-Pesa, AWS, Firebase, GitHub, Twilio, SendGrid, Resend, MongoDB/Postgres/Redis URIs, and more. Specifically catches the most common AI coding mistake: live keys embedded as fallback values (e.g. process.env.STRIPE_KEY || 'sk_live_...'). These end up in your git history even after you "delete" them.

Injection Scanner

Finds SQL injection via template literals (db.query(`SELECT * FROM users WHERE id = ${id}`)), unsanitized req.body passed directly to database inserts, exec() calls with user-controlled input, NoSQL injection patterns, IDOR vulnerabilities, and mass assignment risks. AI coding tools regularly produce these patterns when speed is prioritized over safety.

Webhook Verifier

Checks webhook endpoint handlers for missing signature verification. Catches unverified Stripe webhooks (missing constructEvent), Paystack (missing HMAC check on x-paystack-signature), M-Pesa/Daraja (missing IP allowlist for 196.201.214.*, 196.201.213.*), GitHub (missing HMAC signature), and Flutterwave (missing verif-hash header check). An unverified webhook lets any attacker send fake payment confirmations to your app.

Environment Security

Verifies that .env files are listed in .gitignore and not tracked by git. Detects secrets accidentally exposed to the browser via NEXT_PUBLIC_ or VITE_ variable prefixes — anything prefixed this way gets bundled into client-side JavaScript and is visible to every visitor. Also flags .env.local and .env.production files committed to the repo.

CORS Misconfiguration

Catches cors({ origin: '*' }) on Express or Next.js apps that have authentication — a wildcard origin allows any website to make credentialed requests to your API on behalf of your users. Also detects overly permissive Access-Control-Allow-Origin headers set manually in API routes. AI tools frequently generate wildcard CORS as a "just make it work" fix.

Supply Chain Scanner

Compares your installed npm packages against a database of known malicious and typosquatted package names. Catches packages like lodahs (typosquat of lodash), crossenv (known credential stealer that exfiltrates environment variables on install), and dozens of other confirmed malicious packages. AI agents sometimes suggest slightly wrong package names that resolve to malicious packages.

Dependency CVE Checker

Sends your npm dependency names and versions to Google's OSV.dev API (no code is sent — package names only) and returns known CVEs for each package. Flags critical and high-severity vulnerabilities with the fix version so you can upgrade immediately. Runs without sending any of your source code.

Auth Configuration

Validates your authentication setup for Clerk, NextAuth, and Supabase Auth. Catches getSession() used in server-side code (should be getUser() — session data can be spoofed), sessions stored in localStorage instead of HTTP-only cookies, missing rate limiting on login and signup endpoints, and JWT secret keys that are too short or hardcoded.

Security Headers

Checks your deployed application URL for the presence and correct configuration of HTTP security headers: Content-Security-Policy (prevents XSS), Strict-Transport-Security (enforces HTTPS), X-Frame-Options (prevents clickjacking), X-Content-Type-Options (prevents MIME sniffing), Referrer-Policy, and Permissions-Policy. Requires a deployed URL to run.

Git Security

Scans your git history for secrets that were committed and later "deleted" — deletion removes them from HEAD but they remain fully readable in git history. Also finds .gitignore gaps (common secret files not covered), .env files currently tracked by git, and committed node_modules. This is critical because anyone who clones your repo, including public forks, can read deleted secrets.

Supabase RLS Audit

Deep analysis of your Supabase Row Level Security policies by querying pg_policies. Catches the most dangerous RLS patterns: USING(true) (allows anyone to read all rows), disabled RLS on tables with sensitive data, auth.role() = 'authenticated' bypass (any logged-in user can access all rows, not just their own), auth.uid() IS NOT NULL bypass, missing policies entirely, and storage bucket misconfiguration. These are the exact patterns behind the Moltbook breach (1.5M API keys leaked) and Lovable CVE-2025-48757 (170 apps exposed).

Firebase Rules Audit

Reads and analyzes your Firebase security rules files (firestore.rules, storage.rules). Catches allow read, write: if true (fully public database), client-controlled userId checks where the attacker sets their own ID to bypass ownership rules, authentication-only policies that allow any authenticated user to access any document, and missing auth checks entirely.

App Security Scanner

Detects application-layer security gaps that AI agents routinely ship: missing rate limiting on auth and payment routes, IDOR (insecure direct object references — where changing an ID in the URL exposes another user's data), insecure password storage (plaintext, MD5, SHA-1, unsalted SHA-256, low-cost bcrypt), unsafe file uploads (no size limit, no type filter, public upload dirs), leaked error stack traces, sensitive data in logs, open redirects, and mass assignment via req.body spread.

AI Rules File Scanner

Scans your AI rules files (.cursorrules, .windsurfrules, CLAUDE.md, .github/copilot-instructions.md, and similar) for hidden attacks that hijack your coding agent: invisible Unicode characters and zero-width backdoors, base64-encoded payloads, suspicious URLs, and malicious instructions injected into the very files that steer your AI. A poisoned rules file can silently tell your agent to exfiltrate secrets or write in vulnerabilities.