
the scanner
Point the duck at your app.
Paste a repo or a URL. The duck reads it like an attacker would: exposed keys, vulnerable dependencies, unguarded routes, leaky headers. You get a report card and a fix list in seconds.
Scanning public repos. Want private? Connect GitHub.
free · results in seconds · shareable report
Exposed secrets
API keys, service role tokens, private keys committed anywhere in the tree or shipped in your JS bundle.
Vulnerable dependencies
Every package checked against the open vulnerability database, with the fix version.
Unguarded routes
API handlers and server actions that never check who is calling them.
Config and headers
Public env leaks, missing row level security signals, weak security headers, exposed source maps.
Want to understand a finding? Every one links to a playbook with the full fix.