What Security Scanner actually does (and what it doesn't)

When you scan an app, we run 50+ modules organized into 7 categories. Here's each one, what it looks for, and what severity it can produce.

1. Transport & network

nmap — port scan (top 1000 + common DB ports)
TLS audit — cert validity, chain, weak ciphers, expiry
Security headers — HSTS, CSP, X-Frame-Options, Referrer-Policy on :80 and :443
WAF/CDN fingerprint — identifies Cloudflare, Akamai, CloudFront, Fastly, Vercel Edge, Netlify Edge, Imperva, Sucuri

Exposed endpoints — /docs, /redoc, /.env, /.git, /debug, /swagger-ui
OpenAPI audit — fetches /openapi.json and flags missing security on every operation
API fuzz — injects SQL/NoSQL/LDAP syntax into GET parameters and watches for error signatures
CORS misconfig — tests wildcard origin + credentials combos
CSP audit — analyzes Content Security Policy for unsafe-eval, unsafe-inline, missing directives
Rate limit probe — detects endpoints without request throttling
GraphQL introspection — POST introspection query; flags password fields, dangerous mutations

Secret scanner — regex patterns for 38 provider keys (Anthropic sk-ant-*, OpenAI sk-proj-*, AWS AKIA*, Stripe sk_live_*, GitHub ghp_*, Google AIza*, GCP service-account JSON, Azure storage connection strings, Digital Ocean dop_v1_*, Vercel, Netlify, npm publish tokens, PyPI, LangSmith, Pinecone, Weaviate, Cloudflare, Heroku, Resend, SendGrid, Mailgun, Slack, etc.). Special: decodes JWTs to catch Supabase service_role keys (the catastrophic one).
Supabase deep-probe — Detects Supabase from JS bundle, extracts the anon key + every .from('table') + .rpc() + .storage.from('bucket') + .functions.invoke() reference. Probes each table for RLS misconfig, lists each storage bucket, enumerates edge functions.
Firebase + Firestore — Detects Firebase from JS, extracts .collection('xyz') names, probes each collection with the apiKey for Firestore rules misconfig. Also probes Realtime DB /.json root.
Hasura — Detects Hasura GraphQL endpoints, tests x-hasura-role: anonymous introspection + sensitive-table queries.
Clerk + NextAuth — detection + misconfig audit (NextAuth missing-secret, Clerk admin-key leaks).

JWT audit — alg=none acceptance check + HS256 weak-secret crack against ~35 common values (local compute, no extra target traffic).
OAuth audit — open-redirect probe on redirect_uri across 7 common OAuth paths.
Session entropy — samples Set-Cookie across 5 requests; flags low-entropy or sequential-numeric session tokens.
Auth probes — username enumeration via login-response delta; weak-password acceptance on signup.
IDOR / BOLA — for ID-bearing endpoints discovered by the JS analyzer, sweeps IDs 1-3 and detects (a) distinct unauthenticated responses (BOLA pattern, HIGH) or (b) PII leaks in the body (CRITICAL).

S3 + GCS bucket exposure — extracts bucket names from JS (*.s3.amazonaws.com, storage.googleapis.com/<bucket>) + dictionary attack from apex domain. Probes each for public LIST.
Default-port DB / service probe — Redis :6379 (INFO), Memcached :11211 (stats), MongoDB :27017, Elasticsearch :9200, Kibana :5601, CouchDB :5984, Neo4j :7474, Jenkins, Portainer, Hadoop NameNode, RethinkDB. Skips private IPs.
Infra-leak paths — 25 known-leaky paths: /actuator/env, /_ignition/execute-solution, /_debugbar, /telescope, /server-status, /phpinfo.php, /.git/config, /terraform.tfstate, /docker-compose.yml, /.env variants, /wp-config.php.bak, /WEB-INF/web.xml, etc. SPA-fallback guard prevents false positives.
K8s + Docker unauth APIs — kubelet :10250 /pods, Docker Engine :2375 /version, Prometheus :9090 /metrics.
WAF/CDN fingerprint — identifies Cloudflare, Akamai, CloudFront, Fastly, Vercel Edge, Netlify Edge, Imperva/Incapsula, Sucuri, F5 BIG-IP, Azure Front Door, Barracuda. Flags origins with no edge protection.

AI OpenAPI deep audit — Sonnet classifies every endpoint in the spec as destructive/data_read/data_write/safe, then live-probes only the unauthed GETs to verify.
AI JS analyzer — extracts API endpoints + auth patterns + secrets from the bundle, probes each.
AI triage — post-processes AI-originated findings against known false-positive patterns. 180-second wall-clock budget per target.
Prompt-injection probe — for chat/AI endpoints discovered in the JS bundle: tests compliance with injected canary instructions + system-prompt disclosure (max 2 short probes per endpoint, scanner-labeled).

Subdomain enumeration — Certificate Transparency logs.
Subdomain deep-scan — DNS brute + port check on discovered subdomains.
Subdomain takeover — CNAME chain analysis against known takeover fingerprints (Vercel, Netlify, Unbounce, GitHub Pages, S3, Heroku, Tumblr, Tilda, etc.).
JS library CVE — identifies vulnerable jQuery / lodash / moment versions by banner + @version syntax.
Typosquatted deps — checks JS bundle for known-typosquatted npm package imports (cross-env.js, discord.dll, babelcli, etc.).
Nuclei CVE — 8000+ community templates (log4j, spring4shell, etc.).
Google dork + GitHub dork — searches for secrets near the target's domain name.
Email deep-dive — SPF, DMARC, DKIM, DNS dangling-include check.

Authenticated testing — only when you explicitly provide credentials and consent
Exploitation — we verify findings but don't chain them into an attack
Destructive mutations — we never POST/PUT/DELETE to flag a finding
IDOR aggressively — we sweep 3 IDs per endpoint, never hundreds
Prompt-inject destructive payloads — canary + system-prompt question only, clearly labeled as scanner probes

If you want something we don't currently do, tell us at [email protected].