Your AI wrote the app.
Scout checks its work.
Upload your code or connect your repo. Scout runs it through a sandboxed battery of real security scanners, then an AI triage pipeline kills the false positives and hands you a short list of what's actually wrong — each with a copy-paste fix, an honest A-to-F grade, and the option to let Scout rewrite the broken code for you and re-scan to prove it.
No subscription. Pay per scan: Free / $1 / $10 / $100. Findings in minutes — and fixes that re-scan clean.
profiles
SCT-0042
AI writes code fast. It ships the same bugs fast, too.
of audited Lovable apps shipped with Supabase Row Level Security disabled — the CVE-2025-48757 class.
is all it takes to leak an API key. Client-side secrets are the single most common critical finding.
dependencies are a real supply-chain vector — AI imports packages that don't exist until someone malicious registers them.
What goes wrong
AI tools are extraordinary at making things work and indifferent to making them safe. They'll wire your database to the internet with auth off, embed secrets in the client bundle, and pull a dependency that was deprecated for an RCE two years ago — and the app runs perfectly. You can't see these by using your app. Neither can your users. Attackers can.
What Scout does
Runs your code through the same open-source scanners professional AppSec teams use — Semgrep, gitleaks, Trivy, and more — inside an isolated sandbox. Then an AI triage pipeline does the part that eats a security team's week: it strips the duplicates and false positives, verifies what's left, and rewrites every real finding in plain English with a concrete fix — ranked from the account-takeover you fix right now to the hardening that can wait. Nothing that matters is dropped; it's just finally digestible.
Scout is an assessment tool, not an attack tool. Static analysis runs on code you upload. Live testing runs only against apps you've verified you own. No exploitation, ever.
Upload. Scan. Fix.
Point Scout at your code
Drop a zip, paste a repo URL, or connect GitHub read-only. Scout auto-detects your stack and picks the right scanners. No config, no CI setup, no agent to install.
It scans in a sealed sandbox
Your code runs through industry-standard scanners inside an isolated gVisor sandbox with no outbound network. Static, secret, dependency, and config checks — plus live probing of your deployed app on the top tier, once you verify ownership.
You get findings worth reading — then fixed
Raw output goes through a triage pipeline that kills false positives, merges duplicates, re-scores for your stack, and writes each finding with a copy-paste fix and an A–F grade. Apply the fixes yourself, or let Scout rewrite the code and re-scan to prove the grade.
Every finding earns its place.
Scanners are noisy — that's why most people ignore them. Every Scout finding survived deduplication, false-positive review, and severity re-scoring before you see it, written so you can fix it without a security background.
profiles table
SCT-0042
Your database will hand any logged-in user — or here, anyone with your public anon key, which is visible in your JavaScript — every row in profiles: emails, names, everything. This is the same misconfiguration behind the 2025 mass Lovable exposures.
Plain English, not CVE-speak
Written for the person who built the app, not for a security team.
Proof, not vibes
Exact file and line for every claim — so you can verify it, not just trust it.
Paste it into Cursor
The fix is a copy button. Apply it, re-scan, watch it turn green.
We name the tool
You always know which scanner found it, so nothing is a black box.
Finding it is half the job. Scout fixes it — and proves it.
A report you can't act on is just anxiety. After any scan, Scout copies your codebase, rewrites every broken section itself, and re-scans the result to prove the grade actually moved — before you ever see it. You never get a fix that leaves the vulnerability behind.
Auto-Fix
+ re-scan
It works on a copy
Your original repo is never touched. Scout rewrites a copy and hands you a clean version plus a diff of exactly what changed and why.
It rewrites the broken code
Every finding's fix is applied for real — owner checks, escaped output, fail-closed secrets, headers, validation — kept behaviour-preserving so the app still works the same.
It re-scans to prove the grade
The rewritten copy goes back through a full scan. If it isn't clean yet, Scout fixes again and re-scans. No rewrite ships without passing.
A-grade guaranteed. The rewrite is included, and Scout keeps fixing and re-scanning until a fresh scan comes back an A. If it genuinely can't reach an A, you don't pay for the fix.
You get the findings and the fixes to apply yourself. Hit fix it and Scout fully rewrites and re-scans your code — so the new grade you see is earned on a real re-scan, not estimated. Unlock that proven rewritten code with credits; best-effort, guaranteed to land you a better grade.
Unlocking a rewrite costs 1 credit per 10 findings (1–5 credits), so a big messy project costs a little more than a tiny one — and you always see the exact quote before you spend anything. On the $10 and $100 tiers the rewrite is already included, no credits needed.
Pay per scan. That's it.
No subscription, no per-seat math, no "contact sales." Every tier — including free — returns real findings. Higher tiers run more scanners, deeper analysis, and, with verified ownership, live testing.
Free$0See what Scout sees |
Standard$1/scanThe coffee-money audit |
Deep$10Run this before you launch |
Audit$100The full workup |
|
|---|---|---|---|---|
| Letter grade (A–F) + full findings report | ✓ | ✓ | ✓ | ✓ |
| Hardcoded secrets & keys | ✓ current files | ✓ full history | ✓ | ✓ |
| Client-side / bundle secret exposure | ✓ | ✓ | ✓ | ✓ |
| Vulnerable dependencies (CVEs) | ✓ critical only | ✓ all severities | ✓ | ✓ |
| Supabase RLS & Firebase rules audit | ✓ static | ✓ | ✓ | ✓ + live confirm |
| Security headers | ✓ | ✓ | ✓ | ✓ |
| Hallucinated / typosquat dependencies | ✗ | ✓ | ✓ | ✓ |
| Deep static analysis (Semgrep, full rulesets) | ✗ | ✓ | ✓ | ✓ |
| AI triage — plain-English findings & fixes | top 3 | ✓ | ✓ | ✓ |
| API authorization / IDOR analysis | ✗ | ✓ | ✓ | ✓ |
| Cloud / IaC / Docker config | ✗ | ✓ | ✓ | ✓ |
| AI-agent review — prompt injection & tool scope | ✗ | ✗ | ✓ static | ✓ |
| Mobile (MobSF), Electron & desktop | ✗ | ✗ | ✓ | ✓ |
| PDF / SARIF export & regression diff | ✗ | ✗ | ✓ | ✓ |
| Live web testing (DAST — XSS, SSRF, fuzzing) | ✗ | ✗ | ✗ | ✓ gated |
| Live AI-agent jailbreak & injection red-team | ✗ | ✗ | ✗ | ✓ gated |
| Post-fix grade — earned on a real re-scan, not estimated | ✓ | ✓ | ✓ | ✓ |
| Auto-fix — Scout rewrites & re-scans your code | credits | credits | ✓ included | ✓ included |
| Fix guarantee | better grade | better grade | A guaranteed | A guaranteed |
| Start free | Get credits | Run Deep | Book an Audit |
Real scans, real catches.
These aren't mockups. Every tile is an app we actually built and ran through Scout — drag the wall, click any one to open its full report: the grade, every finding, the exact fix. False positives already stripped.
Straight answers.
Is my uploaded code secure? +
What's the A-to-F grade? +
Does Scout actually fix the code, or just tell me how? +
1 credit per 10 findings, 1–5). Either way, the grade we show is the result of that real re-scan — never a guess, so you always know a "B" is a genuine B before you pay.What if the fix can't reach an A? +
What data do you keep? +
Is this legal? +
Which languages and frameworks? +
Do you need my source code? +
How is this different from running Semgrep myself? +
Built to be trusted with code.
Sandboxed by design
Every scan runs in an isolated gVisor sandbox with no network. Your code can't reach the internet, and no scan can reach another customer's.
Delete means delete
Raw code is purged within an hour. One button wipes your report and everything tied to it, on demand.
Never trained on
Your code and your findings never enter a training set. Ever. They're yours.
Assessment, not attack
Scout finds and explains vulnerabilities. It doesn't exploit them, and live testing is gated behind proof you own the target.
Open about our tools
We name every scanner behind every finding. No black box, no made-up "proprietary engine."
Find out what your AI shipped.
Sign in with GitHub, point Scout at a repo, and get real findings in minutes. If everything's clean, you'll sleep better. If it isn't — better you than someone else.
Run a free scanSign in with GitHub · No subscription, ever · The free tier never needs a card