security for people who ship with ai
You build with Cursor, Claude Code, Copilot, Bolt. Your AI writes the happy path. Attackers live in the sad path. The duck lives there too, and he is on your side.
free · paste a repo or a url · results in seconds
15
lessons distilled from real incidents
10
sources watched around the clock
29
checks in the security checklist
the scanner
Paste a GitHub repo or a URL. In seconds you get a real report card: exposed keys, vulnerable dependencies, unguarded routes, leaky headers. Every finding links to the fix.
$ duck scan github.com/you/your-app
▲ critical · supabase service key shipped to the browser
▲ high · 2 API routes with no auth check
▲ high · lodash@4.17.11 has known vulnerabilities
▲ med · missing content security policy
score: 41 / 100 · grade D
verdict: fixable. the duck made you a list. ▌
the cast

paranoid · correct · on your side
A security expert you explain your code to. He assumes the worst, checks the receipts, and hands you the fix. He has seen what happens to unguarded .env files. He does not sleep.

chaotic · gleeful · already scanning you
He feeds on vibe coded apps. Exposed keys make him giggle. Open databases make him dance. He is not sophisticated. He does not need to be. Someone always leaves the door open.
actual footage: the gremlin finding an exposed .env file · caught on radar
the vibe check
Answer like nobody is watching, because nobody is: nothing leaves your browser. The duck reacts to every answer, scores your app, and hands you a fix list sorted by what the gremlin would try first.
Start the scan →the duck, mid audit · verdicts are final
playbooks
Run this once before you share the link. It catches the mistakes that make the news.
open playbook →
Your API keys never meet the browser, never meet git, and get rotated the moment they slip.
open playbook →
Row level security on every table, tested from the outside, so your anon key can shrug off strangers.
open playbook →
Every route and server action verifies the caller itself, because client side checks are decoration.
open playbook →
the toolbox
Scans your repo and its entire git history for leaked keys in about a second.
Encrypts your .env files so committing one stops being a career event.
The vulnerability check already installed on your machine right now.
GitHub's built in robot that opens patch PRs the day a vulnerability drops.
GitHub's deep semantic scanner, free on public repos, finds bug classes not just patterns.
Security rules inside the linter you already run on every save.
threat radar
Real incidents, advisories and research, distilled into the one lesson each of them teaches. Every entry links to the receipt.
Open the radarAI assisted commits are leaking secrets at twice the rate
Keep keys out of code with a secrets manager, and run a secret scanner before every commit.
Nearly half of AI written code failed security tests
Scan AI written code before you ship it, and never assume it is safe just because it runs.
Phished maintainer pushed crypto stealing code into chalk and debug
Distrust urgent account emails, and lock releases to known versions so a short compromise upstream never reaches you.
A self spreading worm infected hundreds of npm packages
Pin dependencies to known good versions and rotate npm tokens, so a poisoned release cannot silently reach your build.

Every week: the incidents that mattered, the lesson each one teaches, and one fix you can ship in under 10 minutes. Free forever.