Security scanning for
every layer of your stack
Modern startups have a complex attack surface — web properties, APIs, databases, source code, dependencies, and AI pipelines. CodeSec covers all of it, so you can find and fix vulnerabilities before attackers do.
Website Security Scanning
Our automated crawler audits your public-facing web properties for the vulnerabilities attackers exploit most. You get a prioritized list of findings — with severity ratings, affected URLs, and step-by-step remediation — so your team knows exactly what to fix first.
- OWASP Top 10 vulnerability detection (XSS, CSRF, SQL injection, SSRF, and more)
- Security header analysis — CSP, HSTS, X-Frame-Options, Referrer-Policy
- SSL/TLS configuration audit — expired certs, weak ciphers, mixed content
- Exposed admin panels, sensitive files, and directory listings
- Clickjacking and open redirect detection
- Cookie security flags — Secure, HttpOnly, SameSite
API Security Scanning
REST and GraphQL APIs are the highest-value targets for attackers — and the hardest to test manually at scale. CodeSec tests your API endpoints for authentication weaknesses, injection flaws, and data exposure issues that DAST scanners miss.
- Authentication and authorization bypass detection
- Broken Object Level Authorization (BOLA/IDOR) testing
- Rate limiting and brute-force protection verification
- Injection vulnerabilities — SQL, NoSQL, command injection in API parameters
- GraphQL introspection and batching attack surface analysis
- Sensitive data exposure in API responses (PII, tokens, internal IDs)
Supabase Security Checker
Supabase powers thousands of startups — and most have misconfigured Row Level Security, exposed storage buckets, or auth settings that allow unintended access. Our Supabase scanner connects to your project and checks the configuration that matters most.
- Row Level Security (RLS) policy audit — tables with RLS disabled flagged immediately
- Storage bucket visibility — public buckets with sensitive content detected
- Auth configuration — weak password policies, email enumeration, unverified signups
- Database exposure — direct connection strings in client-side code
- CORS misconfiguration on Supabase Edge Functions
- Leaked service role keys and anon key misuse patterns
GitHub Secret Scanner
Hardcoded secrets in source code are the most common cause of startup data breaches. Our GitHub scanner analyzes your repositories — commit history included — to find credentials, tokens, and keys before they're exploited.
- API key and token detection across 100+ service providers (AWS, Stripe, OpenAI, GitHub, etc.)
- High-entropy string detection for custom secrets and private keys
- Commit history scanning — secrets committed and later deleted are still found
- .env file exposure detection in tracked files
- Private key and certificate detection (RSA, SSH, PGP)
- Custom secret pattern support for proprietary formats
CVE Dependency Scanner
Your open-source dependencies are part of your attack surface. A single vulnerable package can expose your entire application. Our CVE scanner checks your lockfiles against the NVD database and flags exploitable vulnerabilities with CVSS scores.
- npm, yarn, and pnpm lockfile analysis for JavaScript/Node.js projects
- pip and Poetry support for Python dependencies
- CVE database cross-reference with CVSS v3 severity scores
- Exploitability assessment — prioritizes known exploited vulnerabilities (KEV)
- Transitive dependency scanning — direct and indirect package trees
- Remediation guidance with recommended safe upgrade paths
AI Workflow Security
AI agents, LLM pipelines, and model integrations introduce a new class of security risks that traditional scanners weren't built to detect. CodeSec analyzes your AI workflows for prompt injection, over-permissioned agents, and LLM-specific attack patterns.
- Prompt injection vulnerability detection in LLM-facing inputs
- Agent permission scope analysis — overprivileged tool access flagged
- Sensitive data leakage through LLM context and memory
- Model API key exposure and insecure direct model access
- LangChain, LlamaIndex, and custom agent architecture review
- AI output sanitization gaps that enable downstream injection attacks