New · GitHub App
Install once. Every PR gets scanned for hardcoded secrets, SQL injection, missing auth, XSS, and 200+ other vulnerability patterns. Findings show up inline in the diff, where you review.
Free for public repos and small projects. No credit card required.
Every PR shows an XploitScan check. Critical or high findings fail the check; medium and low are advisory. Wire it as a required check to block merges.
Findings post directly on the line that triggered them — severity, rule ID, and a fix recommendation right where you'd be reading the diff anyway.
Free covers 30 core rules. Pro and Team unlock the full 210+ rule set plus an AI false-positive filter that drops noisy matches before they reach you.
Plus 196 other patterns curated specifically for AI-generated code.
Pick which repositories XploitScan can see. Public, private, or both — your call.
The App scans the changed files at the PR's HEAD commit. Typically completes in under 5 seconds.
A Check Run lands on the PR with a severity breakdown. Findings on changed lines also appear as inline comments in the diff.
Each push re-scans automatically. Resolved findings drop off; new findings appear. No duplicate comments.