// ai security code reviewer
Find the vulnerabilities before attackers do.
Paste a snippet and get a defensive security review — the risky lines, why they're dangerous, and how to fix them. Powered by Claude, with a built-in heuristic scanner when AI is offline. Your code is analysed in memory only and never stored.
What it checks for
- Injection sinks — SQL/command/code execution from untrusted input (CWE-89/77/95).
- Cross-site scripting — unescaped output of user data (CWE-79).
- Secrets in code — hardcoded keys, passwords, and tokens (CWE-798).
- Weak crypto & randomness — MD5/SHA-1 for passwords, predictable tokens (CWE-327/330).
- Unsafe deserialization, SSRF, path traversal, and disabled TLS verification.
Frequently asked questions
What kinds of vulnerabilities does it find?
It flags common classes such as injection, insecure deserialization, hardcoded secrets, weak crypto, missing input validation, and unsafe configuration, with severity and remediation guidance.
Which languages are supported?
It reviews most mainstream languages by reasoning over the pasted snippet; results are strongest for self-contained functions and clearly scoped files.
Is my code stored?
No. Code is analyzed for your session and is not retained or used for training. Avoid pasting production secrets — rotate anything you share anywhere.
Does it replace a full security audit?
No. It is a fast first-pass defensive review to catch obvious issues early; pair it with dependency scanning, tests, and human review for production code.