New: SEO & AEO scanning — see how Google ranks you and how ChatGPT, Claude & Perplexity cite youSee how it works
Scan connected GitHub repositories for high-risk auth, secret, CORS, SQL, SSRF, and cookie patterns.
Overview
Black-box URL scans cannot see server-side source code. The Source Code SAST scanner reads connected GitHub repositories and applies deterministic rules for common high-impact mistakes in Next.js, Supabase, and API route code.
What this scanner does
Searches source files for server-side Supabase getSession() misuse, public-prefixed secrets, wildcard credentialed CORS, template-interpolated SQL, server-side fetches of user-controlled URLs, and insecure auth cookies.
Why it matters
Many severe vulnerabilities are invisible from the homepage but obvious in source code. Catching these patterns early prevents bugs from reaching production.
Common findings
OWASP Top 10 coverage
Get a full security report with AI-powered fix suggestions in 30 seconds. No setup required.
Related checks
Vulnerability Detection
Detect exposed API keys, tokens, and secrets in your frontend code and responses.
Configuration Audit
Audit your Supabase project for RLS misconfigurations, exposed APIs, and insecure auth settings.
Vulnerability Detection
Test form fields and API inputs for proper validation and sanitization.
