Browser Browser

Сканирование

Новый скан Мониторы

Инструменты

My IP DNS Lookup WHOIS SSL Certificate Ping HTTP Headers Domain Check IP Calculator IDN Converter Reverse DNS Schema Generator TAS-IX Трассировка

Сервисы

Массовый скан Хостинг Отчёт CSEC Дефейс

Разведка

Армия AI-агентов Конкуренты Граф CVE Страхование Репутация

SEO

AI Blog GitHub SEO Site Audit Site Compare Traffic Analytics

Ещё

Все функции Документация Цены
Начать бесплатно
SAST · STATIC ANALYSIS · MULTI-LANGUAGE

Find bugs in your code
before deployment.

Upload a source-code ZIP or paste a public GitHub URL. We run Semgrep (5000+ rules) and Bandit (Python) — find SQLi, XSS, IDOR, hardcoded secrets, race conditions, deserialization bugs, deprecated APIs and 100s more. No code execution — pure AST analysis. Your files are deleted right after the scan.

Start free audit Read docs
Free · No credit card · 30+ languages · 5000+ rules
SG
Semgrep
Multi-language · 5000+ rules · Apache-2.0
Industry-standard SAST engine with rules for OWASP Top 10, CWE, language idioms and security best practices. Auto-detects language and applies relevant rules.
B
Bandit
Python-specific · PyCQA · Apache-2.0
Python-focused security linter from PyCQA. Catches dangerous patterns like eval(), pickle, weak crypto, hardcoded passwords, shell=True subprocess calls and unsafe YAML loading.
What we detect
SQL Injection CWE-89
Tainted DB query construction, raw SQL with user input.
XSS CWE-79
Unescaped HTML output, innerHTML with user data, missing CSP.
Command Injection CWE-78
os.system / shell=True / exec with user input.
Path Traversal CWE-22
../ in user input reaching open() / file ops.
Hardcoded Secrets CWE-798
API keys, passwords, tokens, private keys baked into source.
Insecure Deserialization CWE-502
pickle.loads, yaml.load (without SafeLoader), eval on JSON.
Weak Crypto CWE-327
MD5/SHA1 for passwords, ECB mode, weak key sizes.
SSRF CWE-918
User-supplied URLs reaching server-side fetch without allowlist.
XXE CWE-611
XML parsers with external entity expansion enabled.
Race Conditions CWE-362
TOCTOU, missing locks around shared state.
Insecure Random CWE-330
random.random() for security tokens instead of secrets.
Open Redirect CWE-601
Redirect to user-supplied URL without allowlist.
How it works
STEP 01
Upload or link
Drop a ZIP file (≤100 MB) or paste a public GitHub / GitLab / Bitbucket URL.
STEP 02
Auto language detection
We scan the tree, detect Python / JS / Go / Java / Ruby etc., apply the right rules.
STEP 03
Two engines in parallel
Semgrep runs on every language. Bandit runs on Python files for extra coverage.
STEP 04
Findings + CWE + remediation
Each finding has severity, file:line, code snippet, CWE ID, fix recommendation.
Supported languages
Python JavaScript TypeScript Go Java Ruby PHP C/C++ C# Kotlin Swift Rust Scala React Terraform Dockerfile YAML SQL

Privacy & security guarantees

Audit your code now — free.

Most full scans complete in under 60 seconds. Sign in with email or GitHub, drop your ZIP, get a report.

Start free →