VibeCheck.

How the scanner works

Short version: it looks, it never touches.

Passive by design

In URL mode we issue plain GET requests for your homepage, your first-party scripts, and a short list of conventional public paths (like /.env or /robots.txt). That's the same thing a browser does when it loads your page. We send no attack payloads, never try to log in or bypass auth, never fuzz, and never use any method other than GET.

Read-only on GitHub

Repo scans use a GitHub App with read-only access to contents and metadata. We read your code and recent commit history to find leaked secrets and misconfigurations. We never write, open issues, or push.

Your data stays yours

Results are private by default. We redact secret values before storing anything — we keep a masked fingerprint, never the live key. A scan only becomes public (and badge-able) when you choose to publish it.