The duck, ready to scan

the scanner

Point the duck at your app.

Paste a repo or a URL. The duck reads it like an attacker would: exposed keys, vulnerable dependencies, unguarded routes, leaky headers. You get a report card and a fix list in seconds.

Scanning public repos. Want private? Connect GitHub.

free · results in seconds · shareable report

Exposed secrets

API keys, service role tokens, private keys committed anywhere in the tree or shipped in your JS bundle.

Vulnerable dependencies

Every package checked against the open vulnerability database, with the fix version.

Unguarded routes

API handlers and server actions that never check who is calling them.

Config and headers

Public env leaks, missing row level security signals, weak security headers, exposed source maps.

Want to understand a finding? Every one links to a playbook with the full fix.