the toolbox
Tools the duck runs.
A short list on purpose. Each entry does one job well, sets up in minutes, and gets an honest verdict. No affiliate links, no sponsored placements, ever.
secrets · setup ~5 min
Scans your repo and its entire git history for leaked keys in about a second.
duck verdict: Free, fast, and it reads your git history like a diary. Install it before your first commit, not after your first leak.
secrets · setup ~10 min
Finds secrets across repos, buckets, and images, then checks if they still work.
duck verdict: It verifies whether the leaked key is live. Nothing motivates a rotation like the word active.
secrets · setup ~10 min
Encrypts your .env files so committing one stops being a career event.
duck verdict: An encrypted env file you can commit on purpose. My paranoia had to sit with that one for a while. It passes.
secrets · setup ~15 min
One dashboard for all your secrets, synced to every environment automatically.
duck verdict: Very polished. Free tier covers a solo builder fine; the moment you add teammates, bring your wallet.
dependencies · setup ~1 min
The vulnerability check already installed on your machine right now.
duck verdict: Noisy, blunt, and already on your laptop. Zero excuse. Run it, then argue with the results.
dependencies · setup ~10 min
Catches malicious packages by behavior, like install scripts that phone home, not just known CVEs.
duck verdict: It flags the package that suddenly grew network access in a patch release. That is exactly the paranoia I pay for. Well, freemium.
dependencies · setup ~15 min
Scans dependencies and code, then opens the fix PR for you.
duck verdict: Enterprise plumage, decent free tier. Let it open the fix PRs while you take the credit.
dependencies · setup ~5 min
GitHub's built in robot that opens patch PRs the day a vulnerability drops.
duck verdict: Free, built in, never sleeps. Turning this off is a choice, and I am watching you make it.
code scan · setup ~15 min
Pattern based code scanner that catches injection, missing auth, and bad crypto before merge.
duck verdict: The community rules catch the classics your AI keeps writing. Free where it counts. I nod.
code scan · setup ~30 min
GitHub's deep semantic scanner, free on public repos, finds bug classes not just patterns.
duck verdict: The deep one. Slower to set up, but it follows data through your code like I follow a suspicious commit.
code scan · setup ~5 min
Security rules inside the linter you already run on every save.
duck verdict: Not fancy, occasionally loud, but it lives where your eyes already are. Cheap paranoia is good paranoia.
database · setup ~1 min
Built into your dashboard, flags tables missing RLS and policies with holes.
duck verdict: It is already in your dashboard, pointing at the unprotected table. It has been pointing for weeks. Go look.
database · setup ~30 min
Unit tests for your database, including tests that prove your RLS policies actually deny.
duck verdict: A test that proves user A cannot read user B. Frame it. That is the only compliance report I respect.
auth · setup ~30 min
Drop in auth with prebuilt components, MFA, and session handling done for you.
duck verdict: You get real auth in an afternoon and I stop finding hand rolled JWT code in your repo. Everyone wins, especially me.
auth · setup ~45 min
The open source standard for OAuth sign in, free and self hosted.
duck verdict: Free and yours forever, but you own the config. Read the session callback docs twice; that is where the mistakes nest.
auth · setup ~30 min
Auth that plugs straight into your database and powers RLS policies with auth.uid().
duck verdict: Identity and row policies from the same brain, so the database enforces what the app promises. That symmetry helps me sleep. Nothing helps me sleep.
auth · setup ~45 min
TypeScript first auth framework you own end to end, plugins for MFA and organizations.
duck verdict: The new kid the TypeScript crowd keeps praising. Owning your auth table is power. Power comes with a pager.
monitoring · setup ~15 min
Error tracking that tells you something broke before a user tweets it.
duck verdict: The free tier is plenty for a vibe coded app. Set it up the same day you deploy, not the day after the incident.
monitoring · setup ~5 min
Pings your site every five minutes and yells the moment it goes dark.
duck verdict: It does one thing. It has done that one thing since before your framework existed. Respect.
monitoring · setup ~2 min
Tells you which breaches already include your accounts, with an API for checking user passwords.
duck verdict: Check your own email first. Everyone does. Everyone makes the same face afterward.
monitoring · setup ~10 min
Fake credentials that silently alert you the moment someone touches them.
duck verdict: A fake AWS key sitting in your repo as a tripwire. Delicious. The gremlin grabs it, the alarm sings, I eat popcorn.
ai tooling · setup ~15 min
An AI security reviewer for your PRs that reasons about your actual diff, not just patterns.
duck verdict: An AI reviewing the AI's code. It works better than it has any right to. I still read the diff myself, because I am me.
ai tooling · setup ~10 min
Scans your MCP servers for prompt injection traps and tool poisoning before your agent trusts them.
duck verdict: You gave twelve strangers' MCP servers access to your agent and asked me why I look like this. Scan them.
ai tooling · setup ~15 min
One standard file of standing orders that every AI coding agent reads before touching your repo.
duck verdict: Write the security rules once and every agent session inherits them. Discipline you configure is discipline you keep.
ai tooling · setup ~10 min
Project rules that make Cursor validate input, check auth, and keep secrets server side by default.
duck verdict: The difference between telling your AI to be careful and raising it to be careful. Raise it.