I built this because I was scanning my own projects and realised how easy it is to miss basic things when you're moving fast. Exposed keys in a public repo, a .env file indexed by Google, a Firebase database with default rules still on.

The free scan is fully passive so it never touches your app directly. It checks public GitHub repos associated with your domain for leaked credentials, looks at your security headers, checks certificate transparency logs, and probes a handful of common debug endpoints like /.git/HEAD and /actuator/env.

The deep scan goes further: active endpoint probing, JS bundle analysis for secrets, CORS checks, Firebase and Supabase rule testing, and optional static analysis of a private repo via GitHub OAuth.