New: SEO & AEO scanning — see how Google ranks you and how ChatGPT, Claude & Perplexity cite youSee how it works
Find webhook handlers that appear to trust provider events without verifying signatures.
Overview
Webhook endpoints mutate payment, auth, email, deployment, and repository state. This scanner reviews connected GitHub code for webhook-like routes and checks whether provider signature verification is present before payload trust.
What this scanner does
Searches webhook route files for Stripe, GitHub, Clerk, Svix, Shopify, Paddle, SendGrid, Resend, Twilio, Supabase, Vercel, and Netlify handlers. Flags handlers with no known signature verification pattern and Stripe handlers that may not use the raw body.
Why it matters
Unsigned webhooks can be forged by anyone who discovers the endpoint. Attackers can fake paid invoices, trigger internal workflows, or mutate application data.
Common findings
OWASP Top 10 coverage
Get a full security report with AI-powered fix suggestions in 30 seconds. No setup required.
Related checks
Vulnerability Detection
Scan connected GitHub repositories for high-risk auth, secret, CORS, SQL, SSRF, and cookie patterns.
Infrastructure Check
Scan your GitHub repository for leaked secrets, misconfigured Actions, and supply chain risks.
Vulnerability Detection
Detect exposed API keys, tokens, and secrets in your frontend code and responses.
