Find security issues in your repos.

Connect your repository, we scan the code. You see what needs fixing.

Start 14-day free trial

Read-only access. We never modify your code.

Code is scanned in memory, not stored.

Secrets are redacted in results.

JavaScript

TypeScript

Python

Rust

Java

.NET

Node.js

React

Docker

JavaScript

TypeScript

Python

Rust

Java

.NET

Node.js

React

Docker

JavaScript

TypeScript

Python

Rust

Java

.NET

Node.js

React

Docker

What we find

Known Vulnerabilities

package.json

1"dependencies": {

2 "lodash": "4.17.20",

3 "axios": "0.21.0"

CVE-2021-23337 · Prototype Pollution

Exposed Secrets

.env

1DATABASE_URL=postgres://prod:[email protected]/app

2STRIPE_SECRET_KEY=sk_live_4eC39HqLyjWDarjtT1

3AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE

Stripe API key exposed in repository

SQL Injection

src/api/users.ts

1app.get('/user', (req, res) => {

2 const query = `SELECT * FROM users

3 WHERE id = ${req.query.id}`;

4 db.execute(query);

5});

Unsanitized user input in query

Outdated Packages

package.json

1"dependencies": {

2 "react": "17.0.2",

3 "next": "12.3.4",

4 "typescript": "4.9.5"

react 17.0.2 → 18.3.1 available

End-of-Life

src/utils/http.js

1const request = require('request');

3request('https://api.example.com',

4 (err, res, body) => {

5 console.log(body);

6});

request deprecated since 2020

Container Vulnerabilities

Dockerfile

1FROM node:16-alpine

2WORKDIR /app

3COPY package*.json ./

4RUN npm ci --only=production

5COPY . .

6CMD ["node", "server.js"]

node:16-alpine has 23 known CVEs

How it works

Step 1

Connect GitHub

OAuth login with read-only access to your repositories.

Step 2

Select repos

Choose which repositories you want to scan.

Step 3

See results

Scan runs automatically. Issues sorted by severity.

Connect GitHub

OAuth login with read-only access to your repositories.

Select repos

Choose which repositories you want to scan.

See results

Scan runs automatically. Issues sorted by severity.

Pricing

Per month. Cancel anytime.

Small

$5/month

1 repository
Scan every 2 weeks
5 manual scans/month
Basic SAST (5 rules)
CVEs + Secrets + Outdated
EOL detection
Export
Container scanning

Get started

Medium

Popular

$10/month

5 repositories
Weekly scans
20 manual scans/month
Full SAST (17 rules)
CVEs + Secrets + Outdated
EOL detection
Export
Container scanning

Get started

Pro

$20/month

Unlimited repositories
Daily scans
Unlimited manual scans
Full SAST (17 rules)
CVEs + Secrets + Outdated
EOL detection
Export
Container scanning

Get started

FAQ

Do you need write access to my repos?: No. We only request read access to fetch your code for scanning. We never push commits, create branches, or modify anything.
Is my code stored on your servers?: No. Code is fetched, scanned in memory, and discarded. Only scan results (vulnerability IDs, file paths, line numbers) are stored.
What about private repositories?: Works the same way. Your code stays private. We use your GitHub OAuth token to access repos you've explicitly selected.
How does the 14-day trial work?: Full access to all features. No credit card required. After 14 days, pick a plan or your account becomes read-only.
Can I scan GitLab or Bitbucket repos?: Not yet. GitHub only for now. GitLab support is planned.
How do I cancel?: Settings → Billing → Cancel. Takes effect at the end of your billing period.