Every vibe-coded app has a security grade.Most are failing.
AI ships your app fast — and ships exposed API keys, wide-open databases, and admin secrets straight to the browser with it. Paste any public repo and get the honest A–F card in ten seconds.
One free scan a day · No card required · We never store your code
Catches the mistakes shipped by
Three clicks to the truth
No account, no config. It just works.
Any public GitHub URL — or just owner/repo. No install, no signup.
We read the tree, grep for secrets, classify keys, and probe your database live.
An honest A–F card with every finding and exactly what to rotate. Shareable in one click.
A real card, not a vanity badge
Every grade is backed by findings you can act on — file, line, severity, and the fix. Critical leaks are verified live, so there's no arguing with them.
Stripe live keys, AWS, OpenAI, Anthropic, GitHub tokens, private keys — anything that shipped to the repo.
The admin key that bypasses every Row Level Security policy. Finding one is an automatic F.
We ask your database, with only the public key, if it hands over rows. If it does, that's real — and verified.
Privileged keys wired into NEXT_PUBLIC / VITE env vars that end up shipped to the browser.
Wildcard origins combined with credentials that let any site call your endpoints authenticated.
A weighted A–F score with a plain-English read on how exposed you actually are.
I didn't hack anything — I just asked, and your database answered. That's not a bug, that's an open door with a “welcome” mat.
It doesn't just find it. It hands your AI the fix.
The grade takes ten seconds. The prompt that repairs your app takes one paste.
Every scan ends with a prompt built for Claude Code, Codex or Cursor: each finding with its file, its line, and the rule it breaks. Paste it, and the agent starts fixing instead of investigating.
Asking an AI to "review my repo for security issues" means it reads your whole codebase to maybe spot what we already found. We give it the answer, so its context window goes on the fix — not the search.
Critical database findings are verified live: we ask your database, with only the public key, whether it hands over rows. If it does, that isn't a warning — it's a fact, and nobody on your team gets to argue with it.
Deleting a leaked key doesn't unleak it — it's still in your git history, and it still works. Moving it to a NEXT_PUBLIC_ variable ships it to the browser. We say so, and we tell you exactly what to rotate.
Free to scan. Pro to sleep at night.
Public scans are free forever. Upgrade when you have something to protect.
A quick look at what's public.
- 1 public repo scan / day
- Overall A–F grade
- Top 3 findings only
- Shareable report card
For shipping without surprises.
- Unlimited public & private repos
- Every finding, with file, line & fix
- Live Supabase RLS testing
- Monitoring & alerts on every push
- README security badge
- Downloadable PDF report + scan history
Questions, answered
How do I check if my GitHub repo has a leaked API key?
Paste the repo into Merge Risk and you get an answer in about ten seconds, free and without signing up. It reads the repository tree, greps every file for key patterns, and classifies what it finds — Stripe, AWS, OpenAI, Anthropic, GitHub tokens, private keys — so you learn not just that something leaked but exactly which file and line it leaked on. Note that deleting the key from the file is not enough: once a secret is in a commit it stays in your git history and must be rotated.
How do I know if my Supabase service_role key is exposed to the browser?
The service_role key bypasses every Row Level Security policy, so if it reaches the browser anyone can read and write your whole database. It's exposed if it appears in client-side code, or in an environment variable prefixed NEXT_PUBLIC_, VITE_ or PUBLIC_ — those are compiled into the JavaScript bundle you ship. Merge Risk scans for exactly this and grades it an automatic F. It also tests the other half: it asks your database, using only the public anon key, whether it will hand over rows. If it does, Row Level Security isn't protecting you, and we mark that finding live-verified.
Is this legal? Are you hacking my repo?
No. We only read what is already public on GitHub, and the RLS test makes the exact same request any browser can already make with your public anon key. No exploitation, no writes, nothing invasive.
What does the live RLS test actually do?
If your repo contains a public Supabase URL and anon key (both meant to be public), we ask PostgREST for one row from each exposed table. If it returns data without authentication, Row Level Security isn't protecting it — and we mark that finding as live-verified.
Which stacks do you support?
Today: JavaScript/TypeScript apps (Next.js, Vite, React) and Supabase — the stack most AI builders ship. More languages and databases are coming.
Do you store my code?
No. Scans run on the fly and nothing is stored unless you choose to share a report card. We never clone your repo or keep file contents.
Can I scan a private repo?
That's Pro — connect GitHub once and scan private repos, plus get monitoring and alerts on every push.
Can it fix the problems, not just find them?
Every report generates a prompt you paste straight into Claude Code, Codex or Cursor. It lists each finding with its file, its line and the rule it breaks, worst first — so the agent starts fixing instead of burning its context window re-reading your repo to find what we already found. It also tells you which keys to rotate, because deleting a secret from a file doesn't remove it from your git history.
Why not just ask my AI to review the code?
You can, and it will read a lot of tokens to maybe notice. We look in the places the leaks actually are, classify each key we find, and then prove the database one live — an AI reviewing its own output tends to trust it. Then we hand our findings to your AI so it spends its budget on the fix.