Bundle scan

Scan your JS bundle for secrets

Checks your live app's HTML source and first JavaScript bundle for API keys, tokens, and credentials that should never ship to the browser.

Secrets in the client bundle are the single most common critical vulnerability in AI-built apps. This scanner fetches your live URL, extracts inline scripts and the first external JS bundle, then runs pattern matching against Stripe live keys (sk_live_), AWS access keys (AKIA...), OpenAI keys (sk-[48 chars]), bearer tokens, and hardcoded passwords. Any match is a critical finding.