Security Scanner

AI-powered pentest simulation and compliance check for your project.

Indie tier or higher required. The Security Scanner is included in all paid tiers: Indie ($197), Builder ($397), Team ($997), and Enterprise. See all tiers →

What it does

The Security Scanner analyzes your project's actual codebase for vulnerabilities and generates a structured security report with severity ratings, CWE references, and actionable fixes. It runs entirely locally on your machine — no code leaves your system.

The Security tab is available once you've set a source path for the idea. See the Coder Agent guide for instructions on linking your project folder.

Pentest Simulation

1
Open the idea → Security tab

A source path must be set before the Security tab is active.

2
Click "Run Pentest"

The AI scans your project files for common vulnerability classes.

3
Review findings

Each finding includes severity level, CWE reference, affected file and line number, and a concrete recommendation.

Vulnerability classes scanned:

  • OWASP Top 10 (injection, broken auth, sensitive data exposure, etc.)
  • Injection vulnerabilities (SQL, command, LDAP)
  • Authentication and session management issues
  • Exposed secrets and hardcoded credentials
  • Insecure direct object references
  • Security misconfiguration

Compliance Check

Run a gap analysis against common security standards. The compliance check reviews your codebase and configuration against:

  • OWASP ASVS — Application Security Verification Standard, Level 1 and Level 2
  • GDPR basics — data handling, consent, storage, and deletion requirements
  • API security best practices — rate limiting, authentication, input validation, CORS

Results are grouped by standard and show which controls pass, which fail, and what action is needed to close each gap.

Auto-Fix

For supported finding types, an Auto-fix button appears alongside the finding. Clicking it hands the finding to the Coder Agent, which generates a patch.

  • Review the diff before approving — same approve/reject flow as the Coder Agent
  • Auto-fix is available for common patterns: SQL injection, hardcoded secrets, missing input validation, etc.
  • Complex architectural issues may not have an auto-fix — you'll see guidance instead

Finding severities

Severity Meaning Action
Critical Directly exploitable in its current state Fix immediately — before any public exposure
High Significant risk, likely exploitable with moderate effort Fix before launch
Medium Real risk but requires specific conditions to exploit Fix in your next sprint
Low Best-practice improvement, low exploit risk Address when convenient
AI limitations: The Security Scanner is a powerful first pass, but it is not a substitute for a professional security audit for high-stakes applications. Use it to catch common issues quickly — then get a human review before handling sensitive user data or payments.