All systems operational

Every vibe-coded app has a security grade.Most are failing.

AI ships your app fast — and ships exposed API keys, wide-open databases, and admin secrets straight to the browser with it. Paste any public repo and get the honest A–F card in ten seconds.

Try:
or pick one of your repositories

One free scan a day · No card required · We never store your code

Catches the mistakes shipped by

ClaudeCodexCursorGeminiv0Lovable& many more

Three clicks to the truth

No account, no config. It just works.

01
Paste a repo

Any public GitHub URL — or just owner/repo. No install, no signup.

02
We inspect it

We read the tree, grep for secrets, classify keys, and probe your database live.

03
Get your grade

An honest A–F card with every finding and exactly what to rotate. Shareable in one click.

A real card, not a vanity badge

Every grade is backed by findings you can act on — file, line, severity, and the fix. Critical leaks are verified live, so there's no arguing with them.

Committed secrets

Stripe live keys, AWS, OpenAI, Anthropic, GitHub tokens, private keys — anything that shipped to the repo.

Supabase service_role

The admin key that bypasses every Row Level Security policy. Finding one is an automatic F.

Live RLS test

We ask your database, with only the public key, if it hands over rows. If it does, that's real — and verified.

Client-side leaks

Privileged keys wired into NEXT_PUBLIC / VITE env vars that end up shipped to the browser.

Permissive CORS

Wildcard origins combined with credentials that let any site call your endpoints authenticated.

Honest grade + roast

A weighted A–F score with a plain-English read on how exposed you actually are.

F
Wide open
acme/launch-app
64 files scanned · Next.js · Supabase

I didn't hack anything — I just asked, and your database answered. That's not a bug, that's an open door with a “welcome” mat.

Security score18/100
Supabase service_role key exposedCritical
.env.local:3
Public table "profiles" leaks dataLiveCritical
Stripe live key on the clientHigh
src/lib/pay.ts:12

It doesn't just find it. It hands your AI the fix.

The grade takes ten seconds. The prompt that repairs your app takes one paste.

From report to fix in one paste

Every scan ends with a prompt built for Claude Code, Codex or Cursor: each finding with its file, its line, and the rule it breaks. Paste it, and the agent starts fixing instead of investigating.

Stop paying tokens to rediscover bugs

Asking an AI to "review my repo for security issues" means it reads your whole codebase to maybe spot what we already found. We give it the answer, so its context window goes on the fix — not the search.

Proof, not a maybe

Critical database findings are verified live: we ask your database, with only the public key, whether it hands over rows. If it does, that isn't a warning — it's a fact, and nobody on your team gets to argue with it.

It knows the fake fix

Deleting a leaked key doesn't unleak it — it's still in your git history, and it still works. Moving it to a NEXT_PUBLIC_ variable ships it to the browser. We say so, and we tell you exactly what to rotate.

Free to scan. Pro to sleep at night.

Public scans are free forever. Upgrade when you have something to protect.

Free
€0forever

A quick look at what's public.

  • 1 public repo scan / day
  • Overall A–F grade
  • Top 3 findings only
  • Shareable report card
Scan a repo
Most popular
Pro
€9.99/ month

For shipping without surprises.

  • Unlimited public & private repos
  • Every finding, with file, line & fix
  • Live Supabase RLS testing
  • Monitoring & alerts on every push
  • README security badge
  • Downloadable PDF report + scan history

Questions, answered

How do I check if my GitHub repo has a leaked API key?

Paste the repo into Merge Risk and you get an answer in about ten seconds, free and without signing up. It reads the repository tree, greps every file for key patterns, and classifies what it finds — Stripe, AWS, OpenAI, Anthropic, GitHub tokens, private keys — so you learn not just that something leaked but exactly which file and line it leaked on. Note that deleting the key from the file is not enough: once a secret is in a commit it stays in your git history and must be rotated.

How do I know if my Supabase service_role key is exposed to the browser?

The service_role key bypasses every Row Level Security policy, so if it reaches the browser anyone can read and write your whole database. It's exposed if it appears in client-side code, or in an environment variable prefixed NEXT_PUBLIC_, VITE_ or PUBLIC_ — those are compiled into the JavaScript bundle you ship. Merge Risk scans for exactly this and grades it an automatic F. It also tests the other half: it asks your database, using only the public anon key, whether it will hand over rows. If it does, Row Level Security isn't protecting you, and we mark that finding live-verified.

Is this legal? Are you hacking my repo?

No. We only read what is already public on GitHub, and the RLS test makes the exact same request any browser can already make with your public anon key. No exploitation, no writes, nothing invasive.

What does the live RLS test actually do?

If your repo contains a public Supabase URL and anon key (both meant to be public), we ask PostgREST for one row from each exposed table. If it returns data without authentication, Row Level Security isn't protecting it — and we mark that finding as live-verified.

Which stacks do you support?

Today: JavaScript/TypeScript apps (Next.js, Vite, React) and Supabase — the stack most AI builders ship. More languages and databases are coming.

Do you store my code?

No. Scans run on the fly and nothing is stored unless you choose to share a report card. We never clone your repo or keep file contents.

Can I scan a private repo?

That's Pro — connect GitHub once and scan private repos, plus get monitoring and alerts on every push.

Can it fix the problems, not just find them?

Every report generates a prompt you paste straight into Claude Code, Codex or Cursor. It lists each finding with its file, its line and the rule it breaks, worst first — so the agent starts fixing instead of burning its context window re-reading your repo to find what we already found. It also tells you which keys to rotate, because deleting a secret from a file doesn't remove it from your git history.

Why not just ask my AI to review the code?

You can, and it will read a lot of tokens to maybe notice. We look in the places the leaks actually are, classify each key we find, and then prove the database one live — an AI reviewing its own output tends to trust it. Then we hand our findings to your AI so it spends its budget on the fix.

Know your grade before someone else does.

It takes ten seconds and it's free.

Scan your repo