Secrets in code

Flags hardcoded API keys, passwords, tokens, and credentials before they ship.

Sensitive environment files

Catches real .env files with live values so private credentials do not get shared or committed.

Access Control

Catches routes that appear to work without proving who the user is before private data is read or changed.

Insecure Direct Object Reference

Flags routes that use record ids without an obvious ownership check tying that record to the current user.

Unsafe browser access

Detects wildcard CORS rules and risky credential setups that widen your attack surface.

Weak input validation

Highlights forms, APIs, and handlers that use incoming data without enough checks or sanitization.

SQL Injection

Looks for database queries that appear to build SQL directly from request values instead of using parameters.

Cross Site Scripting

Warns when HTML is rendered directly in the browser without a clear sanitization step.

Throttling

Warns when login, signup, or password routes do not show clear rate limiting or throttling protection.

Information Disclosure

Flags raw server errors and stack details that leak internals to end users.

Environment mistakes

Finds hardcoded localhost values and fixed settings that break once the app reaches production.

Session cookie safety

Checks whether login cookies appear to be missing basic safety flags like httpOnly, secure, or sameSite.

Browser security headers

Looks for missing security headers that help browsers block common mistakes and risky behavior.

Cross-site request protection

Warns when cookie-backed actions do not show an obvious CSRF token or trusted origin check.

Redirect safety

Looks for redirect destinations that come from user input and create phishing-style redirect flows.

Outbound request safety

Flags server-side requests that use attacker-controlled URLs or request fields directly.

File upload safety

Checks whether uploads appear to be missing type, size, or visibility guardrails.

Exposed internal routes

Warns when admin, debug, or internal endpoints look reachable without enough protection.

GitHub Actions safety

Reviews workflow files for broad permissions, risky pull_request_target usage, and secret-heavy workflows.

Supabase storage exposure

Looks for upload and bucket patterns that expose Supabase-stored files more broadly than intended.

Token and session handling

Checks for JWT/session patterns that look loosely verified or configured unsafely.

Recovery flow safety

Looks for password reset and verification flows that are missing expiry or single-use protections.

Dependency vulnerabilities

Checks npm packages for known published vulnerabilities so outdated dependencies do not become an easy entry point.

Next.js public secret exposure

Looks for secret-looking values pushed into NEXT_PUBLIC variables where they can land in the browser bundle.

Runs automatically when Next.js is detected

Supabase privileged key exposure

Flags service role usage that appears in application code or public configuration where it should never be exposed.

Runs automatically when Supabase is detected

Command Injection

Catches system commands and shell executions that interpolate unsafe user inputs, preventing complete server takeover.

Path Traversal

Flags unvalidated directory or file operations that let attackers read internal source code or sensitive logs.

Weak Cryptography

Detects predictable randomness (like Math.random) and obsolete hashing algorithms used for security tokens.

Mass Assignment

Warns about dumping raw and unvalidated API request payloads entirely into data models, limiting field overwrite bugs.