Everything an attacker would check, before they do

API keys, tokens, and database credentials committed to code or shipped in the browser bundle — the single most common leak in AI-built apps. Evidence is redacted to a masked locator; we never store the secret itself.

Static analysis for SQL and command injection, unsafe eval, XSS sinks, insecure deserialisation, and authentication that trusts the client. Powered by curated rules, not noise.

Packages with known CVEs, flagged by severity, with the minimal safe version bump to fix each one.

AI tools invent package names that attackers then register with malware. Hullchecks flags dependencies that look typosquatted or hallucinated — a risk unique to AI-built apps.

Security headers, permissive CORS, exposed .env and .git, TLS quality, SPF/DMARC, and subdomain takeover — probed read-only and non-destructively, behind strict SSRF protection.

For the safe, mechanical issues, Hullchecks opens a ready-to-merge pull request: move secrets to env, bump a dependency, add headers, tighten CORS, scaffold an RLS policy.

Connect a repository and every pull request is re-scanned, with score history over time and alerts the moment a new critical appears.

An MCP server exposes the scan to Cursor, Claude Code, and Windsurf, so issues are caught and fixed while you're still prompting — before a single line is committed.