Features
Secrets & Vulnerabilities
DeployReady scans your code for the most common and dangerous security mistakes — and maps each finding to industry standards like OWASP and CWE.
What it detects
- Hardcoded secrets and credentials in source
- Injection (SQL, command, eval) and XSS sinks
- Weak cryptography, insecure randomness, and disabled TLS verification
- JWT misconfig (alg:none) and insecure cookies
- Access control: Row-Level Security disabled or never enabled, service_role key misuse
- Insecure cleartext http:// endpoints
- OWASP Top 10 (2025) violations, with CWE-mapped findings for traceability
Example findings
Every finding includes a severity, the offending file and line, the relevant standard, and whether it can be auto-fixed.
findings.json
{
"findings": [
{
"id": "CWE-798",
"severity": "critical",
"type": "hardcoded_secret",
"title": "Hardcoded secret / credential in source",
"file": "app/api/route.ts",
"line": 15,
"owasp": "A02:2021 – Cryptographic Failures",
"fixable": true,
"fix": "Move to environment variable or secret manager"
},
{
"id": "CWE-79",
"severity": "critical",
"type": "xss_sink",
"title": "XSS: Unsanitized HTML injection",
"file": "components/Profile.tsx",
"line": 42,
"owasp": "A03:2021 – Injection"
}
]
}Severity levels
- Critical — must fix before production
- Warning — best practices to address
- Info — suggestions and optimizations
Detection is not a guarantee
No scanner finds everything. A clean DeployReady run reduces risk but does not certify your app as secure. Pair it with human review and other tooling.
Fixing findings
Many findings are auto-fixable. Use fix <n> in the interactive prompt to review an AI-proposed diff before applying it. See the AI Fix guide.
Secrets & Vulnerabilities — Overview
Video coming soon
Coming soon.