All security checks
Vulnerability DetectionA01:2021A03:2021A05:2021A07:2021A10:2021

Source Code SAST Scanner

Scan connected GitHub repositories for high-risk auth, secret, CORS, SQL, SSRF, and cookie patterns.

Black-box URL scans cannot see server-side source code. The Source Code SAST scanner reads connected GitHub repositories and applies deterministic rules for common high-impact mistakes in Next.js, Supabase, and API route code.

What this scanner does

Searches source files for server-side Supabase getSession() misuse, public-prefixed secrets, wildcard credentialed CORS, template-interpolated SQL, server-side fetches of user-controlled URLs, and insecure auth cookies.

Why it matters

Many severe vulnerabilities are invisible from the homepage but obvious in source code. Catching these patterns early prevents bugs from reaching production.

Common findings

  • getSession() trusted in a server route
  • NEXT_PUBLIC_* variable exposing a secret-like token
  • SQL query built with template interpolation
  • Server-side fetch using route or search parameter URL input

OWASP Top 10 coverage

A01:2021Broken Access Control
A03:2021Injection
A05:2021Security Misconfiguration
A07:2021Identification & Authentication Failures
A10:2021Server-Side Request Forgery (SSRF)

Run this check on your site

Get a full security report with remediation guidance in 30 seconds. No setup required.

Scan your site freeView pricing

Related security checks

Vulnerability Detection

API Key Exposure Scanner

Detect exposed API keys, tokens, and secrets in your frontend code and responses.

Configuration Audit

Supabase Security Scanner

Audit your Supabase project for RLS misconfigurations, exposed APIs, and insecure auth settings.

Vulnerability Detection

Input Validation Scanner

Test form fields and API inputs for proper validation and sanitization.

All security checksSecurity blog