Security assessment for AI-built software

Your AI wrote the app.
Scout checks its work.

Upload your code or connect your repo. Scout runs it through a sandboxed battery of real security scanners, then an AI triage pipeline kills the false positives and hands you a short list of what's actually wrong — each with a copy-paste fix, an honest A-to-F grade, and the option to let Scout rewrite the broken code for you and re-scan to prove it.

No lock-in — pay per scan (Free / $1 / $10 / $100) or subscribe for monthly credits that stack. Findings in minutes — and fixes that re-scan clean.

Critical Row Level Security disabled on profiles SCT-0042
High Supabase service_role key in client bundle SCT-0043
High Firestore rules allow read, write: if true SCT-0051
Medium 3 dependencies with known CVEs SCT-0068

The problem

AI writes code fast. It ships the same bugs fast, too.

~70%

of audited Lovable apps shipped with Supabase Row Level Security disabled — the CVE-2025-48757 class.

1 paste

is all it takes to leak an API key. Client-side secrets are the single most common critical finding.

hallucinated

dependencies are a real supply-chain vector — AI imports packages that don't exist until someone malicious registers them.

What goes wrong

AI tools are extraordinary at making things work and indifferent to making them safe. They'll wire your database to the internet with auth off, embed secrets in the client bundle, and pull a dependency that was deprecated for an RCE two years ago — and the app runs perfectly. You can't see these by using your app. Neither can your users. Attackers can.

What Scout does

Runs your code through the same open-source scanners professional AppSec teams use — Semgrep, gitleaks, Trivy, and more — inside an isolated sandbox. Then an AI triage pipeline does the part that eats a security team's week: it strips the duplicates and false positives, verifies what's left, and rewrites every real finding in plain English with a concrete fix — ranked from the account-takeover you fix right now to the hardening that can wait. Nothing that matters is dropped; it's just finally digestible.

Scope

Scout is an assessment tool, not an attack tool. Static analysis runs on code you upload. Live testing runs only against apps you've verified you own. No exploitation, ever.

How it works

Upload. Scan. Fix.

STEP 01

Point Scout at your code

Drop a zip, paste a repo URL, or connect GitHub read-only. Scout auto-detects your stack and picks the right scanners. No config, no CI setup, no agent to install.

↳ read-only access · nothing is executed at this stage
STEP 02

It scans in a sealed sandbox

Your code runs through industry-standard scanners inside an isolated gVisor sandbox with no outbound network. Static, secret, dependency, and config checks — plus live probing of your deployed app on the top tier, once you verify ownership.

↳ semgrep · gitleaks · trivy · checkov · mobsf — plus Scout's own AI-agent probes
STEP 03

You get findings worth reading — then fixed

Raw output goes through a triage pipeline that kills false positives, merges duplicates, re-scores for your stack, and writes each finding with a copy-paste fix and an A–F grade. Apply the fixes yourself, or let Scout rewrite the code and re-scan to prove the grade.

↳ every real issue, de-duplicated and ranked — criticals first, hygiene last · then one click to fix
The report

Every finding earns its place.

Scanners are noisy — that's why most people ignore them. Every Scout finding survived deduplication, false-positive review, and severity re-scoring before you see it, written so you can fix it without a security background.

Critical Supabase Row Level Security is disabled on the profiles table SCT-0042
What this means

Your database will hand any logged-in user — or here, anyone with your public anon key, which is visible in your JavaScript — every row in profiles: emails, names, everything. This is the same misconfiguration behind the 2025 mass Lovable exposures.

Evidence
supabase/migrations/0002_create_profiles.sql:14 — table created, no RLS policy defined dist/assets/index-a4f1.js:1 — anon key present in shipped bundle
The fix
alter table profiles enable row level security; create policy "own profile" on profiles for select using ( auth.uid() = id );
Confidence: verified· Found by: semgrep + Scout config probe· Est. fix time: 10 min
1

Plain English, not CVE-speak

Written for the person who built the app, not for a security team.

2

Proof, not vibes

Exact file and line for every claim — so you can verify it, not just trust it.

3

Paste it into Cursor

The fix is a copy button. Apply it, re-scan, watch it turn green.

4

We name the tool

You always know which scanner found it, so nothing is a black box.

Browse a full sample report →
Auto-fix

Finding it is half the job. Scout fixes it — and proves it.

A report you can't act on is just anxiety. After any scan, Scout copies your codebase, rewrites every broken section itself, and re-scans the result to prove the grade actually moved — before you ever see it. You never get a fix that leaves the vulnerability behind.

BeforeF
LiftLedger — FastAPI workout tracker
7 findings — 1 critical, 1 high, 1 medium, 4 low/info
IDOR on every workout route · stored XSS → token theft · fail-open JWT secret
Scout
Auto-Fix
rewrite
+ re-scan
After · best-effort passB
Every real vulnerability closed
Critical, high & medium all gone — the IDOR, stored XSS, and fail-open secret eliminated; owner checks added, output escaped, secret fails closed. Only low/info hardening notes remain.
The $10/$100 tiers iterate from here to a guaranteed A. Confirmed by a fresh re-scan — not a promise.
✓ Re-scan verified
01

It works on a copy

Your original repo is never touched. Scout rewrites a copy and hands you a clean version plus a diff of exactly what changed and why.

02

It rewrites the broken code

Every finding's fix is applied for real — owner checks, escaped output, fail-closed secrets, headers, validation — kept behaviour-preserving so the app still works the same.

03

It re-scans to prove the grade

The rewritten copy goes back through a full scan. If it isn't clean yet, Scout fixes again and re-scans. No rewrite ships without passing.

$10 & $100 scans

A-grade guaranteed. The rewrite is included, and Scout keeps fixing and re-scanning until a fresh scan comes back an A. If it genuinely can't reach an A, you don't pay for the fix.

Free & $1 scans

You get the findings and the fixes to apply yourself. Hit fix it and Scout fully rewrites and re-scans your code — so the new grade you see is earned on a real re-scan, not estimated. Unlock that proven rewritten code with credits; best-effort, guaranteed to land you a better grade.

Credits

Unlocking a rewrite costs 1 credit per 10 findings (1–5 credits), so a big messy project costs a little more than a tiny one — and you always see the exact quote before you spend anything. On the $10 and $100 tiers the rewrite is already included, no credits needed.

Pricing

Pay per scan — or subscribe for credits.

No per-seat math, no "contact sales." Everything runs on credits: buy a scan when you need one, or subscribe for a monthly bundle that stacks. Every tier — including free — returns real findings.

Free$0See what Scout sees
Standard$1/scanThe coffee-money audit
Deep$10Run this before you launch
Audit$100The full workup
Letter grade (A–F) + full findings report
Full deterministic probe scan — secrets, injection, IDOR/access-control, crypto, JWT, path traversal, CORS, Docker/IaC & more (17 modules)
Hardcoded secrets & keys
current files

full history
Client-side / bundle secret exposure
Vulnerable dependencies (CVEs)
critical only

all severities
Supabase RLS & Firebase rules audit
static

+ live confirm
Security headers
Hallucinated / typosquat dependencies
Deep static analysis (Semgrep, full rulesets)
AI triage — plain-English findings & fixescriticals + top 3
API authorization / IDOR analysis
Cloud / IaC / Docker config
AI-agent review — prompt injection & tool scope
static
Mobile (MobSF), Electron & desktop
PDF / SARIF export & regression diff
Live web testing (DAST — XSS, SSRF, fuzzing)
gated
Live AI-agent jailbreak & injection red-team
gated
Post-fix grade — earned on a real re-scan, not estimated
Auto-fix — Scout rewrites & re-scans your codecreditscredits
included

included
Fix guaranteebetter gradebetter gradeA guaranteedA guaranteed
Start free Run $1 scan Run Deep Book an Audit
Subscriptions — credits on tap

A subscription never “unlocks” features — it grants credits, and credits buy everything. Bundles land monthly and stack: skip a month of scanning and they bank up. Deep & Audit credits keep for two years; fix credits never expire.

Subscription · Deep
Deep$20/mo
2 Deep credits10 fix credits
  • 2 multi-agent Deep reviews a month — recon → specialist finders → adversarial verify
  • 10 fix credits cover $1 Standard scans and auto-fix unlocks between reviews
  • Subscriber badge on your profile · cancel anytime
Get Deep →
Subscription · Audit
Audit$100/mo
2 Audit credits1 Deep credit10 fix credits
  • 2 full Audits a month — reachability & attack paths, Recon chat, SARIF export
  • Plus a Deep review and 10 fix credits for everything between audits
  • Subscriber badge on your profile · cancel anytime
Get Audit →

Prefer one-time? A single Deep credit is $10, a single Audit credit is $100 — both on the Plans page.

Auto-fix credits

Separate from per-scan pricing. Credits unlock the verified rewritten code on Free & $1 scans — 1 credit per 10 findings (1–5 per fix). Already included on $10 & $100. Bigger packs stack bonus credits, and credits never expire.

5 cr
$5
10 cr
$10
Most popular
29 cr
$25
+4 bonus credits
60 cr
$50
+10 bonus credits
125 cr
$100
+25 bonus credits

Buy credits →  ·  fix credits also cover $1 Standard scans (1 each)  ·  Deep & Audit plans →

Free always shows every critical in full — with the fix — no matter how many, plus the three most severe of everything else. Severity + location on all the rest. Every paid scan spends a credit of its tier — a $1 scan takes 1 fix credit (or just pay $1 at checkout), Deep takes 1 Deep credit, Audit takes 1 Audit credit. The subscriptions above grant the monthly bundles; buying one-time works too. Auto-fix rewrites your code and re-scans to prove the grade. On $10 & $100 it's included and an A is guaranteed. On Free & $1 you unlock the verified rewrite with credits — 1 credit per 10 findings (1–5), best-effort to a better grade. Live testing requires verifying you own the target — a DNS record or a meta tag, about two minutes. We don't scan apps that aren't yours.
Examples

Real scans, real catches.

These aren't mockups. Every tile is an app we actually built and ran through Scout — drag the wall, click any one to open its full report: the grade, every finding, the exact fix. False positives already stripped.

0 apps scanned · drag the wall ◀ drag ▶ · click a tile for its full report
Questions

Straight answers.

Is my uploaded code secure? +
Yes, and it's the part we take most seriously. Your upload goes straight from your browser to isolated, per-customer encrypted storage — our servers never see the payload in transit. Analysis happens inside a sandbox with no outbound network, so your code can't leave and nothing in it can call home. The raw code is deleted within an hour of your scan finishing.
What's the A-to-F grade? +
One letter for the whole app, so you know where you stand at a glance. It's driven by the worst thing Scout can prove: an app with an IDOR, an auth bypass, or exposed private data lands a D or F; a couple of medium issues is a C; only minor or defensive gaps earns a B; genuinely clean is an A. Every scan also tells you the grade your app would earn once the fixes go in.
How thorough is a scan — what does the $100 Audit actually do? +
Two layers. First a fast pass of deterministic probes — exposed secrets & keys, broken access control (IDOR), missing auth, injection (SQL/NoSQL/command/code/template), path traversal, open redirects, insecure deserialization, weak or misused crypto, JWT misconfig, permissive CORS, missing security headers & cookie flags, debug/stack-trace leaks, container & IaC misconfig, and risky dependencies. Then the real depth: a multi-agent AI review that reads your actual code like a senior pentester — a recon pass to map the app, then ~10 specialist reviewers hunting different vulnerability classes in parallel, then an adversarial verify pass whose only job is to disprove each finding so false positives never reach you. The $100 Audit adds a second graded engineering-quality review and a grounded forward-risk analysis. The grade reflects only what survives verification.
How long does it take — do I have to wait on the page? +
The fast probe findings show up in seconds. The deep multi-agent review takes a few minutes (longest on the $100 Audit, which is the most exhaustive). You don't have to sit and watch: the report updates live — a one-line status tells you what's running, preliminary findings appear immediately with a "deeper analysis in progress" note, and the final graded report replaces them when it's ready. Close the tab if you like; on the $10 and $100 tiers we email you the moment it's done.
Does Scout actually fix the code, or just tell me how? +
Both. Every scan explains each issue with a copy-paste fix you can apply yourself. But Scout can also do it for you: it copies your codebase, rewrites the broken sections, and re-scans the result to prove the grade moved before handing it back — so you never get a fix that leaves the hole open. On the $10 and $100 tiers that rewrite is included; on Free and $1 you unlock it with credits (1 credit per 10 findings, 1–5). Either way, the grade we show is the result of that real re-scan — never a guess, so you always know a "B" is a genuine B before you pay.
What if the fix can't reach an A? +
On the $10 and $100 tiers an A is guaranteed — Scout keeps rewriting and re-scanning until a fresh scan comes back clean, and if it genuinely can't get there, you aren't charged for the fix. On Free and $1 the rewrite is best-effort: guaranteed to move you to a better grade (an F to a B, say), and the scan shows the projected grade up front so there are no surprises. A few issues are architectural and honestly need a human — Scout tells you which, rather than pretending.
What data do you keep? +
The report, and nothing else durable. Raw code is deleted within an hour. Reports are kept 7 days on Free and 30 days on paid tiers so you can come back to them — or hit Delete now and everything is gone immediately. We never train any model on your code or your findings.
Is this legal? +
Static analysis of code you give us is always fine — it's reading, not attacking. Live testing (the $100 tier) only runs against a target after you prove you own it, via a DNS record or a file we ask you to host. We never scan something you haven't verified, and we never exploit anything — Scout reports vulnerabilities, it doesn't break in.
Which languages and frameworks? +
Today: JavaScript / TypeScript and Python web apps, with first-class support for the Supabase, Firebase, Next.js, React, Express, and React Native stacks that AI tools reach for — plus the infrastructure that ships with them (Dockerfiles, compose, and config). The multi-agent review reads whatever's in the repo, so it isn't limited to a fixed rule list. Mobile (iOS/Android), Electron, and more languages are rolling out on the paid tiers.
Do you need my source code? +
For static scans, yes — connect a GitHub repo read-only or upload a zip. For live testing, we test your deployed app from the outside and only need the URL you've verified you own. You can always start with the free static scan and never hand over live access at all.
How is this different from running Semgrep myself? +
You absolutely can run Semgrep yourself — and gitleaks, and Trivy, and MobSF, configure rulesets for each, and then wade through a wall of raw output where the real issues, the duplicates, and the false positives all look the same. That triage is what you're paying Scout for: we run all of them, cut the duplicates and false positives, verify what survives, rank it by real-world impact, and explain each one in plain English with a fix. The scanners are open source. The judgment — and making all of it digestible — is the product.
How Scout protects you

Built to be trusted with code.

Sandboxed by design

Every scan runs in an isolated gVisor sandbox with no network. Your code can't reach the internet, and no scan can reach another customer's.

Delete means delete

Raw code is purged within an hour. One button wipes your report and everything tied to it, on demand.

Never trained on

Your code and your findings never enter a training set. Ever. They're yours.

Assessment, not attack

Scout finds and explains vulnerabilities. It doesn't exploit them, and live testing is gated behind proof you own the target.

Open about our tools

We name every scanner behind every finding. No black box, no made-up "proprietary engine."

Free to start

Find out what your AI shipped.

Sign in with GitHub, point Scout at a repo, and get real findings in minutes. If everything's clean, you'll sleep better. If it isn't — better you than someone else.

Run a free scan

Sign in with GitHub · Subscribe or pay as you go · The free tier never needs a card