Security assessment for AI-built software

Your AI wrote the app.
Scout checks its work.

Upload your code or connect your repo. Scout runs it through a sandboxed battery of real security scanners, then an AI triage pipeline kills the false positives and hands you a short list of what's actually wrong — each with a copy-paste fix, an honest A-to-F grade, and the option to let Scout rewrite the broken code for you and re-scan to prove it.

No subscription. Pay per scan: Free / $1 / $10 / $100. Findings in minutes — and fixes that re-scan clean.

Critical Row Level Security disabled on profiles SCT-0042
High Supabase service_role key in client bundle SCT-0043
High Firestore rules allow read, write: if true SCT-0051
Medium 3 dependencies with known CVEs SCT-0068

The problem

AI writes code fast. It ships the same bugs fast, too.

~70%

of audited Lovable apps shipped with Supabase Row Level Security disabled — the CVE-2025-48757 class.

1 paste

is all it takes to leak an API key. Client-side secrets are the single most common critical finding.

hallucinated

dependencies are a real supply-chain vector — AI imports packages that don't exist until someone malicious registers them.

What goes wrong

AI tools are extraordinary at making things work and indifferent to making them safe. They'll wire your database to the internet with auth off, embed secrets in the client bundle, and pull a dependency that was deprecated for an RCE two years ago — and the app runs perfectly. You can't see these by using your app. Neither can your users. Attackers can.

What Scout does

Runs your code through the same open-source scanners professional AppSec teams use — Semgrep, gitleaks, Trivy, and more — inside an isolated sandbox. Then an AI triage pipeline does the part that eats a security team's week: it strips the duplicates and false positives, verifies what's left, and rewrites every real finding in plain English with a concrete fix — ranked from the account-takeover you fix right now to the hardening that can wait. Nothing that matters is dropped; it's just finally digestible.

Scope

Scout is an assessment tool, not an attack tool. Static analysis runs on code you upload. Live testing runs only against apps you've verified you own. No exploitation, ever.

How it works

Upload. Scan. Fix.

STEP 01

Point Scout at your code

Drop a zip, paste a repo URL, or connect GitHub read-only. Scout auto-detects your stack and picks the right scanners. No config, no CI setup, no agent to install.

↳ read-only access · nothing is executed at this stage
STEP 02

It scans in a sealed sandbox

Your code runs through industry-standard scanners inside an isolated gVisor sandbox with no outbound network. Static, secret, dependency, and config checks — plus live probing of your deployed app on the top tier, once you verify ownership.

↳ semgrep · gitleaks · trivy · checkov · mobsf — plus Scout's own AI-agent probes
STEP 03

You get findings worth reading — then fixed

Raw output goes through a triage pipeline that kills false positives, merges duplicates, re-scores for your stack, and writes each finding with a copy-paste fix and an A–F grade. Apply the fixes yourself, or let Scout rewrite the code and re-scan to prove the grade.

↳ every real issue, de-duplicated and ranked — criticals first, hygiene last · then one click to fix
The report

Every finding earns its place.

Scanners are noisy — that's why most people ignore them. Every Scout finding survived deduplication, false-positive review, and severity re-scoring before you see it, written so you can fix it without a security background.

Critical Supabase Row Level Security is disabled on the profiles table SCT-0042
What this means

Your database will hand any logged-in user — or here, anyone with your public anon key, which is visible in your JavaScript — every row in profiles: emails, names, everything. This is the same misconfiguration behind the 2025 mass Lovable exposures.

Evidence
supabase/migrations/0002_create_profiles.sql:14 — table created, no RLS policy defined dist/assets/index-a4f1.js:1 — anon key present in shipped bundle
The fix
alter table profiles enable row level security; create policy "own profile" on profiles for select using ( auth.uid() = id );
Confidence: verified· Found by: semgrep + Scout config probe· Est. fix time: 10 min
1

Plain English, not CVE-speak

Written for the person who built the app, not for a security team.

2

Proof, not vibes

Exact file and line for every claim — so you can verify it, not just trust it.

3

Paste it into Cursor

The fix is a copy button. Apply it, re-scan, watch it turn green.

4

We name the tool

You always know which scanner found it, so nothing is a black box.

Browse a full sample report →
Auto-fix

Finding it is half the job. Scout fixes it — and proves it.

A report you can't act on is just anxiety. After any scan, Scout copies your codebase, rewrites every broken section itself, and re-scans the result to prove the grade actually moved — before you ever see it. You never get a fix that leaves the vulnerability behind.

BeforeF
LiftLedger — FastAPI workout tracker
7 findings — 1 critical, 1 high, 1 medium, 4 low/info
IDOR on every workout route · stored XSS → token theft · fail-open JWT secret
Scout
Auto-Fix
rewrite
+ re-scan
After · best-effort passB
Every real vulnerability closed
Critical, high & medium all gone — the IDOR, stored XSS, and fail-open secret eliminated; owner checks added, output escaped, secret fails closed. Only low/info hardening notes remain.
The $10/$100 tiers iterate from here to a guaranteed A. Confirmed by a fresh re-scan — not a promise.
✓ Re-scan verified
01

It works on a copy

Your original repo is never touched. Scout rewrites a copy and hands you a clean version plus a diff of exactly what changed and why.

02

It rewrites the broken code

Every finding's fix is applied for real — owner checks, escaped output, fail-closed secrets, headers, validation — kept behaviour-preserving so the app still works the same.

03

It re-scans to prove the grade

The rewritten copy goes back through a full scan. If it isn't clean yet, Scout fixes again and re-scans. No rewrite ships without passing.

$10 & $100 scans

A-grade guaranteed. The rewrite is included, and Scout keeps fixing and re-scanning until a fresh scan comes back an A. If it genuinely can't reach an A, you don't pay for the fix.

Free & $1 scans

You get the findings and the fixes to apply yourself. Hit fix it and Scout fully rewrites and re-scans your code — so the new grade you see is earned on a real re-scan, not estimated. Unlock that proven rewritten code with credits; best-effort, guaranteed to land you a better grade.

Credits

Unlocking a rewrite costs 1 credit per 10 findings (1–5 credits), so a big messy project costs a little more than a tiny one — and you always see the exact quote before you spend anything. On the $10 and $100 tiers the rewrite is already included, no credits needed.

Pricing

Pay per scan. That's it.

No subscription, no per-seat math, no "contact sales." Every tier — including free — returns real findings. Higher tiers run more scanners, deeper analysis, and, with verified ownership, live testing.

Free$0See what Scout sees
Standard$1/scanThe coffee-money audit
Deep$10Run this before you launch
Audit$100The full workup
Letter grade (A–F) + full findings report
Hardcoded secrets & keys
current files

full history
Client-side / bundle secret exposure
Vulnerable dependencies (CVEs)
critical only

all severities
Supabase RLS & Firebase rules audit
static

+ live confirm
Security headers
Hallucinated / typosquat dependencies
Deep static analysis (Semgrep, full rulesets)
AI triage — plain-English findings & fixestop 3
API authorization / IDOR analysis
Cloud / IaC / Docker config
AI-agent review — prompt injection & tool scope
static
Mobile (MobSF), Electron & desktop
PDF / SARIF export & regression diff
Live web testing (DAST — XSS, SSRF, fuzzing)
gated
Live AI-agent jailbreak & injection red-team
gated
Post-fix grade — earned on a real re-scan, not estimated
Auto-fix — Scout rewrites & re-scans your codecreditscredits
included

included
Fix guaranteebetter gradebetter gradeA guaranteedA guaranteed
Start free Get credits Run Deep Book an Audit
Free shows every finding's count and severity, with full detail and a fix on the three most severe. $1 scans are sold in credit packs — $5 = 5 credits, $10 = 12 credits. Deep and Audit charge per scan. Auto-fix rewrites your code and re-scans to prove the grade. On $10 & $100 it's included and an A is guaranteed. On Free & $1 you unlock the verified rewrite with credits — 1 credit per 10 findings (1–5), best-effort to a better grade. Live testing requires verifying you own the target — a DNS record or a meta tag, about two minutes. We don't scan apps that aren't yours.
Examples

Real scans, real catches.

These aren't mockups. Every tile is an app we actually built and ran through Scout — drag the wall, click any one to open its full report: the grade, every finding, the exact fix. False positives already stripped.

0 apps scanned · drag the wall ◀ drag ▶ · click a tile for its full report
Questions

Straight answers.

Is my uploaded code secure? +
Yes, and it's the part we take most seriously. Your upload goes straight from your browser to isolated, per-customer encrypted storage — our servers never see the payload in transit. Analysis happens inside a sandbox with no outbound network, so your code can't leave and nothing in it can call home. The raw code is deleted within an hour of your scan finishing.
What's the A-to-F grade? +
One letter for the whole app, so you know where you stand at a glance. It's driven by the worst thing Scout can prove: an app with an IDOR, an auth bypass, or exposed private data lands a D or F; a couple of medium issues is a C; only minor or defensive gaps earns a B; genuinely clean is an A. Every scan also tells you the grade your app would earn once the fixes go in.
Does Scout actually fix the code, or just tell me how? +
Both. Every scan explains each issue with a copy-paste fix you can apply yourself. But Scout can also do it for you: it copies your codebase, rewrites the broken sections, and re-scans the result to prove the grade moved before handing it back — so you never get a fix that leaves the hole open. On the $10 and $100 tiers that rewrite is included; on Free and $1 you unlock it with credits (1 credit per 10 findings, 1–5). Either way, the grade we show is the result of that real re-scan — never a guess, so you always know a "B" is a genuine B before you pay.
What if the fix can't reach an A? +
On the $10 and $100 tiers an A is guaranteed — Scout keeps rewriting and re-scanning until a fresh scan comes back clean, and if it genuinely can't get there, you aren't charged for the fix. On Free and $1 the rewrite is best-effort: guaranteed to move you to a better grade (an F to a B, say), and the scan shows the projected grade up front so there are no surprises. A few issues are architectural and honestly need a human — Scout tells you which, rather than pretending.
What data do you keep? +
The report, and nothing else durable. Raw code is deleted within an hour. Reports are kept 7 days on Free and 30 days on paid tiers so you can come back to them — or hit Delete now and everything is gone immediately. We never train any model on your code or your findings.
Is this legal? +
Static analysis of code you give us is always fine — it's reading, not attacking. Live testing (the $100 tier) only runs against a target after you prove you own it, via a DNS record or a file we ask you to host. We never scan something you haven't verified, and we never exploit anything — Scout reports vulnerabilities, it doesn't break in.
Which languages and frameworks? +
Today: JavaScript / TypeScript and Python web apps, with first-class support for the Supabase, Firebase, Next.js, React, Express, and React Native stacks that AI tools reach for. Mobile (iOS/Android), Electron, and more languages are rolling out on the paid tiers.
Do you need my source code? +
For static scans, yes — connect a GitHub repo read-only or upload a zip. For live testing, we test your deployed app from the outside and only need the URL you've verified you own. You can always start with the free static scan and never hand over live access at all.
How is this different from running Semgrep myself? +
You absolutely can run Semgrep yourself — and gitleaks, and Trivy, and MobSF, configure rulesets for each, and then wade through a wall of raw output where the real issues, the duplicates, and the false positives all look the same. That triage is what you're paying Scout for: we run all of them, cut the duplicates and false positives, verify what survives, rank it by real-world impact, and explain each one in plain English with a fix. The scanners are open source. The judgment — and making all of it digestible — is the product.
How Scout protects you

Built to be trusted with code.

Sandboxed by design

Every scan runs in an isolated gVisor sandbox with no network. Your code can't reach the internet, and no scan can reach another customer's.

Delete means delete

Raw code is purged within an hour. One button wipes your report and everything tied to it, on demand.

Never trained on

Your code and your findings never enter a training set. Ever. They're yours.

Assessment, not attack

Scout finds and explains vulnerabilities. It doesn't exploit them, and live testing is gated behind proof you own the target.

Open about our tools

We name every scanner behind every finding. No black box, no made-up "proprietary engine."

Free to start

Find out what your AI shipped.

Sign in with GitHub, point Scout at a repo, and get real findings in minutes. If everything's clean, you'll sleep better. If it isn't — better you than someone else.

Run a free scan

Sign in with GitHub · No subscription, ever · The free tier never needs a card