Would your app pass a security scan?
See the full report with fix suggestions →
Built for developers like
Three ways to scan your code. Pick what works for you.
Drag and drop your project files or paste a GitHub URL. No signup needed.
Our scanner runs 206 rules across your entire codebase.
See your security grade, findings, and fix suggestions in plain English.
my-saas-app
47 files scanned · 2.3s
No credit card. No signup. 5 free scans per day.
Paste code or upload a file — no signup required. Scanned with 30 free rules.
Catch the vulnerabilities that AI coding tools miss — in seconds, not hours.
Purpose-built for AI-generated code. 206 rules across secrets, injection (SQL, XSS, NoSQL, SSRF), auth, crypto, Docker, Kubernetes, CI/CD, IAM, Electron, mobile, and more.
Every vulnerability explained in plain English with copy-paste fix suggestions. No security expertise required.
npx xploitscan scan . — no config, no setup, no account required. Works with any JS/TS/Python project out of the box.
GitHub Action with SARIF output. Findings appear in GitHub Security tab. Block PRs with critical vulnerabilities.
Install once, every pull request gets scanned automatically with a Check Run and inline review comments. No workflow file, no API key, no config.
Every finding mapped to SOC2, ISO 27001, OWASP Top 10, and CWE. Export compliance reports for audits. Enterprise-ready out of the box.
No security jargon. Instead of "IDOR vulnerability via insecure direct object reference", we say "anyone can access other users' data by changing the ID in the URL."
Compliance Ready
XploitScan maps all 206 rules to SOC2 Trust Service Criteria, ISO 27001 Annex A controls, OWASP Top 10, and CWE — so you can see exactly how your code measures up.
Start free. Upgrade when you need more.
No credit card required
npx xploitscan scan .No free trial
7-day free trial
5 seats included, +$15/seat
Real vulnerabilities, fixes, and post-mortems for AI-generated code.
Semgrep, SonarQube, Snyk, and Checkmarx were built for hand-written enterprise code. Here's why they miss the bugs Cursor, Bolt, and Lovable produce.
April 8, 2026 · 9 min read
A walkthrough of the Stripe webhook vulnerability that AI coding tools ship by default — and the 4 lines of code that fix it.
April 7, 2026 · 7 min read
Hardcoded secrets, SQL injection, unprotected webhooks — what AI coding tools get wrong, with real scan data.
April 5, 2026 · 8 min read
Everything you need to know about XploitScan.
The CLI runs 100% locally — your code never leaves your machine. The web scanner sends files to our API only for the duration of the scan: they're processed in memory, scanned against our rules, and discarded immediately. We never write your source code to disk or a database. We only persist scan metadata (grade, score, finding counts, file paths) — never the file contents themselves.
JavaScript, TypeScript, Python, Ruby, Go, Rust, Java, PHP, Swift, Kotlin, C#, and 30+ more. We also scan config files: Dockerfile, docker-compose, Terraform, Kubernetes manifests, CI/CD workflows, .env files, and package manifests.
Traditional SAST tools are designed for hand-written enterprise code. They produce hundreds of irrelevant findings and require security expertise to interpret. XploitScan is purpose-built for AI-generated code — our 206 rules target the specific patterns that AI tools produce, and every finding is explained in plain English with a copy-paste fix.
Detection quality is public and measured continuously. Every commit runs against a labeled corpus of 151 fixtures covering 25+ vulnerability classes, and the numbers are live at xploitscan.com/benchmark. Current: 100% precision (zero false positives on the corpus) and 80%+ recall on rules with active test fixtures. We also run Semgrep and Bearer against the same corpus for side-by-side comparison. The corpus, runners, and methodology are open-source at github.com/bgage72590/vibecheck — you can reproduce the scores locally. Tracked-but-not-yet-detected cases are shown openly on the page rather than hidden.
Free plan: 5 scans per day with 30 core security rules. Indie plan ($9/mo): 500 scans per month with all 206 rules and scan history dashboard. Pro plan ($19/mo): unlimited scans with all 206 rules, plus PDF reports, SBOM generation, compliance mapping, webhook integrations, and AI false-positive filter. Team plan ($99/mo): everything in Pro plus 5 team seats, shared scan history, RBAC, and portfolio reports. Annual plans save 40%.
Yes! Use our official GitHub Action to scan on every PR. It outputs SARIF for the GitHub Security tab and can block merges when critical vulnerabilities are found. Run 'npx xploitscan scan . --format sarif' in any CI pipeline.
Most scans complete in under 5 seconds. Large projects (1000+ files) may take up to 30 seconds. The CLI is even faster since it runs locally without network overhead.
Yes — paste a public repo URL in the web scanner, or use the CLI locally for private repos: 'npx xploitscan scan /path/to/repo'. The CLI never uploads your code.
Yes — save 40% with annual billing. Indie is $5/mo ($59/year), Pro is $10/mo ($119/year), and Team is $59/mo ($699/year) when billed annually. You can switch between monthly and annual at any time from Settings → Billing. Changes are prorated immediately.
Yes — the Team plan ($99/mo) includes 5 seats with additional seats at $15/month each. The team owner manages billing, invites members by email, and assigns roles (Owner, Admin, Member, Viewer). Each role has different permissions — for example, Viewers can see reports but cannot run scans. Team members get full Pro features through the owner's subscription — no separate payment needed.
Yes — the referral program is available to Pro and Team subscribers (owners and admins only). Go to Settings → Referral to get your unique referral link. When someone signs up using your link and subscribes to a paid plan, you receive a credit equal to 1 free month of your current plan applied to your next invoice.
No — each account is eligible for one 7-day free trial. If you've previously had a trial or paid subscription (on any plan), new subscriptions will start billing immediately without a trial period. This applies whether you're switching from Pro to Team or vice versa.
Go to Settings → Billing → Manage Subscription. You can cancel, upgrade, or downgrade anytime. Cancellations keep your access until the end of your billing period. Plan changes take effect immediately with prorated billing. No cancellation fees.
Yes — every finding is mapped to SOC2 Trust Service Criteria, ISO 27001 Annex A controls, OWASP Top 10, and CWE. Visit the Compliance page to see your coverage across all controls. Note: compliance mappings are informational — they help you understand your security posture but are not a substitute for a formal compliance audit.