XploitScan – Security scanner built for AI-generated code

xploitscan.com · bgage725 · 3 hours ago · view on HN · tool
quality 7/10 · good
0 net
Tags
docker idor kubernetes ssrf xss
XploitScan — Stop Shipping Hackable Code 45% of AI-generated code contains security vulnerabilities (Veracode 2025) Stop shipping hackable code One command finds vulnerabilities in your AI-generated code. Plain-English results. Fix suggestions included. Built for Cursor, Lovable, Bolt, and Replit users. $ npx xploitscan scan . or Scan Now — Free ~/my-saas-app $ npx xploitscan scan . xploitscan v2.1.0 — security scan results ──────────────────────────────────────── Found 11 issues: 7 CRITICAL | 3 high | 1 medium Scanned 47 files in 2.3s CRITICAL [VC005] Unprotected Stripe Webhook server.js:39 Attackers can fake payment events and mark orders as paid without actually paying. Fix: Use stripe.webhooks.constructEvent() + 10 more issues... Try it now Paste code or upload a file — no signup required. Scanned with 30 free rules. Paste Code Upload File Scan Code Security scanning that speaks your language Catch the vulnerabilities that AI coding tools miss — in seconds, not hours. 131 Security Rules Purpose-built for AI-generated code. 131 rules across secrets, injection (SQL, XSS, NoSQL, SSRF), auth, crypto, Docker, Kubernetes, CI/CD, IAM, Electron, mobile, and more. Plain-English Results Every vulnerability explained in plain English with copy-paste fix suggestions. No security expertise required. One Command npx xploitscan scan . — no config, no setup, no account required. Works with any JS/TS/Python project out of the box. CI/CD Ready GitHub Action with SARIF output. Findings appear in GitHub Security tab. Block PRs with critical vulnerabilities. Compliance Mapping Every finding mapped to SOC2, ISO 27001, OWASP Top 10, and CWE. Export compliance reports for audits. Enterprise-ready out of the box. Built for Non-Experts No security jargon. Instead of "IDOR vulnerability via insecure direct object reference", we say "anyone can access other users' data by changing the ID in the URL." Compliance Ready Every finding mapped to real compliance controls XploitScan maps all 131 rules to SOC2 Trust Service Criteria, ISO 27001 Annex A controls, OWASP Top 10, and CWE — so you can see exactly how your code measures up. SOC2 ISO 27001 OWASP Top 10 CWE View compliance dashboard → Simple pricing Start free. Upgrade when you need more. Monthly Annual Save 20% Free $0 /mo No credit card required 5 scans per day 30 core security rules Terminal + JSON output SARIF output for GitHub .xploitscanrc config support npx xploitscan scan . POPULAR Pro $ 29 /mo 7-day free trial Unlimited scans Scan history dashboard GitHub Action integration PDF security reports SOC2/ISO27001 compliance mapping Slack/Discord webhooks Public security badge Priority support Start Free Trial Team $ 99 /mo 5 seats included, +$15/seat Everything in Pro 5 team seats included Shared scan history Role-based access (RBAC) Team invite management Portfolio security reports Centralized billing Priority support Start Team Trial Feature comparison Feature Free Pro Team Security scans 5/day Unlimited Unlimited Security rules 30 core All 131 All 131 Plain-English results Terminal + JSON output SARIF output for GitHub Scan history dashboard GitHub Action (30 rules) PDF security reports Slack/Discord webhooks SOC2/ISO27001 mapping Public security badge .xploitscanrc config Team seats 5 included Shared scan history Role-based access (RBAC) Portfolio reports Centralized billing Priority support Frequently asked questions Everything you need to know about XploitScan. What languages and file types does XploitScan support? JavaScript, TypeScript, Python, Ruby, Go, Rust, Java, PHP, Swift, Kotlin, C#, and 30+ more. We also scan config files: Dockerfile, docker-compose, Terraform, Kubernetes manifests, CI/CD workflows, .env files, and package manifests. Why not just use a regular security scanner? Traditional SAST tools are designed for hand-written enterprise code. They produce hundreds of irrelevant findings and require security expertise to interpret. XploitScan is purpose-built for AI-generated code — our 131 rules target the specific patterns that AI tools produce, and every finding is explained in plain English with a copy-paste fix. Is my code sent to your servers? When using the CLI, your code stays 100% local — nothing is uploaded. The web scanner sends files to our API for scanning but we never store your source code. It's processed in memory and deleted immediately after scanning. What are the scan limits? Free plan: 5 scans per day with 30 core security rules. Pro plan ($29/mo): unlimited scans with all 131 rules, plus PDF reports, SBOM generation, compliance mapping, and webhook integrations. Team plan ($99/mo): everything in Pro plus 5 team seats, shared scan history, RBAC, and portfolio reports. Annual plans save 20%. Can I use XploitScan in CI/CD? Yes! Use our official GitHub Action to scan on every PR. It outputs SARIF for the GitHub Security tab and can block merges when critical vulnerabilities are found. Run 'npx xploitscan scan . --format sarif' in any CI pipeline. How long does a scan take? Most scans complete in under 5 seconds. Large projects (1000+ files) may take up to 30 seconds. The CLI is even faster since it runs locally without network overhead. What happens to my code after scanning? Your source code is never stored. During a web scan, files are processed in memory, scanned against our rules, and immediately discarded. We only store scan metadata (grade, score, finding counts) — never your actual code. Can I scan private GitHub repositories? Yes — paste a public repo URL in the web scanner, or use the CLI locally for private repos: 'npx xploitscan scan /path/to/repo'. The CLI never uploads your code. Do you offer annual billing? Yes — save 20% with annual billing. Pro is $23/mo ($276/year) and Team is $79/mo ($948/year) when billed annually. You can switch between monthly and annual at any time from Settings → Billing. Changes are prorated immediately. Can my whole team use XploitScan? Yes — the Team plan ($99/mo) includes 5 seats with additional seats at $15/month each. The team owner manages billing, invites members by email, and assigns roles (Owner, Admin, Member, Viewer). Each role has different permissions — for example, Viewers can see reports but cannot run scans. Team members get full Pro features through the owner's subscription — no separate payment needed. Do you have a referral program? Yes — the referral program is available to Pro and Team subscribers (owners and admins only). Go to Settings → Referral to get your unique referral link. When someone signs up using your link and subscribes to a paid plan, you receive a credit equal to 1 free month of your current plan applied to your next invoice. Can I get multiple free trials? No — each account is eligible for one 7-day free trial. If you've previously had a trial or paid subscription (on any plan), new subscriptions will start billing immediately without a trial period. This applies whether you're switching from Pro to Team or vice versa. How do I cancel or change my plan? Go to Settings → Billing → Manage Subscription. You can cancel, upgrade, or downgrade anytime. Cancellations keep your access until the end of your billing period. Plan changes take effect immediately with prorated billing. No cancellation fees. Does XploitScan support compliance frameworks? Yes — every finding is mapped to SOC2 Trust Service Criteria, ISO 27001 Annex A controls, OWASP Top 10, and CWE. Visit the Compliance page to see your coverage across all controls. Note: compliance mappings are informational — they help you understand your security posture but are not a substitute for a formal compliance audit.
← Back to stories