// WARNING: WRECKED INITIATED// 10 SCANNERS ACTIVE// ZERO BS// AI WROTE IT. WE BREAK IT.// WARNING: WRECKED INITIATED// 10 SCANNERS ACTIVE// ZERO BS// AI WROTE IT. WE BREAK IT.
Your AI
Wrote It.
We Break It.
Paste a GitHub URL or drop a ZIP. 10 scanners rip through your code in ~60s. Grade + explanations + fixes. No mercy.
Target Acquisition
Max 50MB. Pro unlocks AI explanations.
Process
Four steps.
One grade. Full clarity.
No setup, no configuration. Paste a URL and get a security audit graded like a report card.
01
Paste a URL or drop a ZIP
Any public GitHub repo or a local ZIP archive. We shallow-clone or extract instantly.
02
Ten scanners run
Semgrep, Gitleaks, npm audit, Trivy, OSV-Scanner, KICS, Bandit, Hadolint, Auth Gap, and Env Leak rip through your code in parallel. Typical repos take about a minute; big ones can take a few.
03
Claude explains it
Every vulnerability gets a plain-English explanation and a concrete fix suggestion.
04
You get a grade
A through F, calculated from a penalty-weighted severity system. No ambiguity.
Sample Output
OWASP Juice Shop scan result
This is exactly what you see after a scan — no sign-up required to try it.
Case ID: VC-2026-04819 · Classification: PUBLIC
juice-shop/juice-shop
Scanned 47s ago1,247 files analyzed10 scanners deployedComplete
F
12 / 100
☠ Threat Summary
PRO TIER
12
WRECKED
23
YIKES
31
SKETCHY
18
MEH / FYI
Intelligence Report — Wrecked
WRECKEDsemgrep
SQL Injection via unsanitized query construction
routes/login.ts:42 — User input concatenated directly into SQL string
WRECKEDgitleaks
Hardcoded GitHub Personal Access Token
config/env.js:7 — pat_example_token...
YIKESsemgrep
Reflected Cross-Site Scripting (XSS)
frontend/src/search.ts:118 — innerHTML with user-controlled input
SKETCHYsemgrep
JWT signed with weak hardcoded secret
lib/insecurity.ts:22 — jwt.sign(payload, 'secret')
Powered By
Ten scanners. One verdict.
Industry-standard scanners plus custom security checks, orchestrated in parallel and narrated by AI.
Semgrep
Static Analysis (SAST)
Pattern-based code analysis that finds injection flaws, insecure API usage, and logic errors across 30+ languages.
SQL injectionXSSdynamic code execpath traversalweak crypto
Gitleaks
Secret Detection
Scans every file for hardcoded secrets, API keys, tokens, and credentials that should never be committed.
API keysGitHub tokensAWS secretsprivate keysJWTs
npm audit
Dependency Scanning
Cross-references your package.json dependencies against the npm advisory database for known CVEs.
CVE lookupCVSS scorestransitive depsfix versions
Trivy
Vuln + Misconfig Scanner
Comprehensive scanner for OS packages, language deps, and infrastructure misconfigurations.
CVE databaseIaC misconfigSBOMmulti-ecosystem
OSV-Scanner
Supply Chain Analysis
Google’s open-source vulnerability database scanner. Catches what npm audit misses across all ecosystems.
GHSA advisoriesGoPythonRustcross-ecosystem
KICS
IaC Security Scanner
Finds infrastructure-as-code misconfigurations in Kubernetes, Terraform, Docker, and cloud templates before they hit production.
KubernetesTerraformcloud misconfigpublic exposure
Bandit
Python Security Linter
AST-based security linter for Python. Catches shell injection, hardcoded passwords, and unsafe deserialization.
shell injectionunsafe execdeserializationhardcoded creds
Hadolint
Dockerfile Linter
Lints your Dockerfile against best practices. Catches running as root, unpinned versions, and insecure configs.
root userapt pinningmulti-stageCOPY vs ADD
Auth Gap
Auth Flow Analyzer
Detects API route handlers that appear to miss authentication guards in Next.js and Express code.
missing auth guardunprotected routesNext.js APIExpress routes
Env Leak
Client Env Exposure
Flags client-side process.env usage that is not NEXT_PUBLIC_ in JS/TS files.
process.envNEXT_PUBLIC_client componentsenv exposure
Pricing
Free to scan. Pro to go deep.
Free gives you the verdict. Pro gives you the why, the fix, and the full blast radius.
Free
For quick checks and drive-bys.
$0
Forever
- Scan public repos and ZIPs
- 10 scanners included
- Letter grade + top findings
- No signup required
Tip: free scans show a limited set of findings. Pro unlocks the full report.
Pay per scan
Single Scan
One deep dive, no strings.
$4.99
One-time
- AI explanations + suggested fixes
- Full findings (no hidden counts)
- No commitment, pay as you go
- Login required to save report
Most popular
Pro
For builders shipping real apps.
$9.99
/ month
Cancel anytime
- Everything in Single Scan
- Unlimited AI explanations
- More scan + explain capacity
- Best effort for bigger repos (longer timeouts)
Pro requires login so your reports stay private to your account.
Under the Hood
What runs when you hit Scan
scan pipeline — juice-shop/juice-shop
❯ git clone --depth=1 --single-branch https://github.com/juice-shop/juice-shop
✔ Cloned 1,247 files in 4.2s
# Running 10 scanners in parallel...
❯ semgrep --config=auto --json . [SAST]
❯ gitleaks detect --source=. --report-format=json [secrets]
❯ npm audit --json [deps]
❯ trivy fs --scanners vuln,misconfig --format json . [vuln+iac]
❯ osv-scanner --format json --recursive . [supply-chain]
❯ kics scan -p . --report-formats json [iac]
❯ bandit -r . -f json -q [python]
❯ hadolint --format json Dockerfile [container]
✔ semgrep 42 findings — 12 critical, 18 high, 12 medium
✔ gitleaks 7 secrets exposed — GitHub token, AWS key...
✔ npm audit 84 vulnerabilities — lodash, moment
✔ trivy 23 vulns + 5 misconfigs — 3 critical
✔ osv-scanner 11 advisories — GHSA-xxxx-yyyy
✔ kics 6 IaC issues — public ingress exposed
✔ bandit 3 python findings — shell injection
✔ hadolint 4 Dockerfile issues — running as root
# Sending 180 findings to Claude Haiku for explanation...
✔ Generated plain-English summaries and fix suggestions in 3.1s
# Calculating grade...
▲ GRADE: F — Score 12/100 (penalty: 12x critical, 23x high)
❯ Cleaning up clone...
Ready to Scan
Your AI wrote it.
We find what it broke.
Paste a GitHub URL or drop a ZIP. 10 scanners rip through your code in about a minute for most repos (big ones can take a few minutes). Letter grade + full breakdown. Free. No login.