the toolbox

Tools the duck runs.

A short list on purpose. Each entry does one job well, sets up in minutes, and gets an honest verdict. No affiliate links, no sponsored placements, ever.

Gitleaks

secrets · setup ~5 min

free

Scans your repo and its entire git history for leaked keys in about a second.

any repo

duck verdict: Free, fast, and it reads your git history like a diary. Install it before your first commit, not after your first leak.

TruffleHog

secrets · setup ~10 min

freemium

Finds secrets across repos, buckets, and images, then checks if they still work.

any repoS3Docker images

duck verdict: It verifies whether the leaked key is live. Nothing motivates a rotation like the word active.

dotenvx

secrets · setup ~10 min

free

Encrypts your .env files so committing one stops being a career event.

Node.jsany runtime

duck verdict: An encrypted env file you can commit on purpose. My paranoia had to sit with that one for a while. It passes.

Doppler

secrets · setup ~15 min

freemium

One dashboard for all your secrets, synced to every environment automatically.

Vercelany runtimeCI

duck verdict: Very polished. Free tier covers a solo builder fine; the moment you add teammates, bring your wallet.

npm audit

dependencies · setup ~1 min

free

The vulnerability check already installed on your machine right now.

Node.js

duck verdict: Noisy, blunt, and already on your laptop. Zero excuse. Run it, then argue with the results.

Socket

dependencies · setup ~10 min

freemium

Catches malicious packages by behavior, like install scripts that phone home, not just known CVEs.

npmGitHub

duck verdict: It flags the package that suddenly grew network access in a patch release. That is exactly the paranoia I pay for. Well, freemium.

Snyk

dependencies · setup ~15 min

freemium

Scans dependencies and code, then opens the fix PR for you.

npmGitHubDocker

duck verdict: Enterprise plumage, decent free tier. Let it open the fix PRs while you take the credit.

Dependabot

dependencies · setup ~5 min

free

GitHub's built in robot that opens patch PRs the day a vulnerability drops.

GitHub

duck verdict: Free, built in, never sleeps. Turning this off is a choice, and I am watching you make it.

Semgrep

code scan · setup ~15 min

freemium

Pattern based code scanner that catches injection, missing auth, and bad crypto before merge.

TypeScriptPythonmost languages

duck verdict: The community rules catch the classics your AI keeps writing. Free where it counts. I nod.

CodeQL

code scan · setup ~30 min

free

GitHub's deep semantic scanner, free on public repos, finds bug classes not just patterns.

GitHubpublic repos

duck verdict: The deep one. Slower to set up, but it follows data through your code like I follow a suspicious commit.

eslint-plugin-security

code scan · setup ~5 min

free

Security rules inside the linter you already run on every save.

JavaScriptTypeScript

duck verdict: Not fancy, occasionally loud, but it lives where your eyes already are. Cheap paranoia is good paranoia.

Supabase Security Advisor

database · setup ~1 min

free

Built into your dashboard, flags tables missing RLS and policies with holes.

Supabase

duck verdict: It is already in your dashboard, pointing at the unprotected table. It has been pointing for weeks. Go look.

pgTAP

database · setup ~30 min

free

Unit tests for your database, including tests that prove your RLS policies actually deny.

PostgresSupabase

duck verdict: A test that proves user A cannot read user B. Frame it. That is the only compliance report I respect.

Clerk

auth · setup ~30 min

freemium

Drop in auth with prebuilt components, MFA, and session handling done for you.

Next.jsReact

duck verdict: You get real auth in an afternoon and I stop finding hand rolled JWT code in your repo. Everyone wins, especially me.

Auth.js

auth · setup ~45 min

free

The open source standard for OAuth sign in, free and self hosted.

Next.jsSvelteKit

duck verdict: Free and yours forever, but you own the config. Read the session callback docs twice; that is where the mistakes nest.

Supabase Auth

auth · setup ~30 min

freemium

Auth that plugs straight into your database and powers RLS policies with auth.uid().

SupabaseNext.js

duck verdict: Identity and row policies from the same brain, so the database enforces what the app promises. That symmetry helps me sleep. Nothing helps me sleep.

Better Auth

auth · setup ~45 min

free

TypeScript first auth framework you own end to end, plugins for MFA and organizations.

TypeScriptNext.js

duck verdict: The new kid the TypeScript crowd keeps praising. Owning your auth table is power. Power comes with a pager.

Sentry

monitoring · setup ~15 min

freemium

Error tracking that tells you something broke before a user tweets it.

Next.jsmost stacks

duck verdict: The free tier is plenty for a vibe coded app. Set it up the same day you deploy, not the day after the incident.

UptimeRobot

monitoring · setup ~5 min

freemium

Pings your site every five minutes and yells the moment it goes dark.

any URL

duck verdict: It does one thing. It has done that one thing since before your framework existed. Respect.

Have I Been Pwned

monitoring · setup ~2 min

free

Tells you which breaches already include your accounts, with an API for checking user passwords.

your emailyour users

duck verdict: Check your own email first. Everyone does. Everyone makes the same face afterward.

Canarytokens

monitoring · setup ~10 min

free

Fake credentials that silently alert you the moment someone touches them.

any project

duck verdict: A fake AWS key sitting in your repo as a tripwire. Delicious. The gremlin grabs it, the alarm sings, I eat popcorn.

Claude Code Security Review

ai tooling · setup ~15 min

free

An AI security reviewer for your PRs that reasons about your actual diff, not just patterns.

GitHub ActionsClaude Code

duck verdict: An AI reviewing the AI's code. It works better than it has any right to. I still read the diff myself, because I am me.

mcp-scan

ai tooling · setup ~10 min

free

Scans your MCP servers for prompt injection traps and tool poisoning before your agent trusts them.

MCP serversClaude CodeCursor

duck verdict: You gave twelve strangers' MCP servers access to your agent and asked me why I look like this. Scan them.

AGENTS.md

ai tooling · setup ~15 min

free

One standard file of standing orders that every AI coding agent reads before touching your repo.

Claude CodeCursorCodex

duck verdict: Write the security rules once and every agent session inherits them. Discipline you configure is discipline you keep.

Cursor Rules

ai tooling · setup ~10 min

free

Project rules that make Cursor validate input, check auth, and keep secrets server side by default.

Cursor

duck verdict: The difference between telling your AI to be careful and raising it to be careful. Raise it.