|
🛡 Static Scanner · 62 rules · No API key

Find vulnerabilities before the attacker

Free static scanner — runs in the browser, no API key, no server. Paste any JavaScript, TypeScript, Python, PHP, Go or Ruby code and see vulnerabilities in seconds.

43 critical rules18 secrets patterns19 injection checks0 external dependencies✓ Works offline

Drop a project folder here

or

node_modules · .git · dist · .next ignored automatically

Code to analyze
0 characters · 1 linesJS · TS · Python · PHP · Go · Ruby
About this scanner Static analysis based on 62 rules derived from TruffleHog v3, Semgrep community rules and OWASP ASVS 4.0. Runs 100% in your browser — no code is sent to servers. False positives are possible; review each finding. Languages covered: JavaScript, TypeScript, Python, PHP, Go and Ruby. For broader coverage, combine with npm audit, pip-audit and Semgrep CLI.

Frequently asked questions

Is CIPHER really free?

Yes, 100% free with no limits. There is no paid plan, no signup, and no API key required. The tool runs entirely in your browser.

Is my code sent to any server?

No. CIPHER is a static scanner that runs locally in your browser using pure JavaScript. Not a single line of your code leaves your device. It is safe to use with proprietary or confidential code.

Which programming languages are supported?

JavaScript, TypeScript, JSX, TSX, Python, PHP, Go and Ruby. It also detects vulnerabilities in configuration files such as package.json, docker-compose.yml and .env.example.

What is Static Application Security Testing (SAST)?

SAST is a technique that analyzes source code without executing it, looking for known vulnerability patterns such as hardcoded secrets, SQL injection and XSS. CIPHER applies 61 rules derived from OWASP, CWE and tools like TruffleHog and Semgrep.

How do I detect hardcoded API keys and secrets?

Paste your code into CIPHER and click "Start Scan". The tool automatically detects patterns from OpenAI, Anthropic, AWS, GitHub, Stripe, SendGrid, Google and other providers, as well as high-entropy strings that may be unidentified tokens.

Does the scanner detect SQL Injection?

Yes. CIPHER detects SQL injection via string concatenation, template literals with user input, and Sprintf-built queries in Go — for JavaScript, TypeScript, Python, PHP and Go.

What is the difference between CIPHER and npm audit?

They are complementary. npm audit checks dependencies with known CVEs. CIPHER analyzes the code you wrote: hardcoded secrets, unsafe SQL queries, XSS, weak password hashing and other implementation errors that npm audit cannot detect.

Does CIPHER replace a professional security audit?

No. CIPHER is a first line of defense — ideal for finding obvious issues quickly. For critical systems, we recommend combining it with npm audit, pip-audit, Semgrep CLI and manual review by security experts.