What We Scan
The security issues we detect
CRITICAL
Hardcoded Secrets
API keys, database passwords, tokens, and credentials embedded in source code. One git push and they're exposed forever.
// Example
const stripe = new Stripe("sk_live_abc123...")
const stripe = new Stripe("sk_live_abc123...")
CRITICAL
Vulnerable Dependencies
npm packages with known security vulnerabilities (CVEs). Attackers have automated scanners looking for these.
lodash@4.17.15 — prototype pollution vulnerability
CRITICAL
Injection Patterns
SQL injection, command injection, and other patterns where user input goes directly into queries or system commands.
db.query(`SELECT * FROM users WHERE id = ${userId}`)
HIGH
Unsafe Configurations
Debug mode enabled in production, exposed admin endpoints, insecure cookie settings, and other configuration issues.
Detection approach
Our detection is based on OWASP Top 10 and real-world breach patterns. We use static analysis tools (Semgrep, TruffleHog) combined with dependency auditing (npm audit).