Documentation
Everything you need to know about securing your AI-built apps with Sekrd.
Getting Started
Sekrd scans any web application for security vulnerabilities. Most scans finish in under 2 minutes; large or slow targets can take longer. Sign up is OAuth-quick. Free URL scans with a generous monthly quota (tune from /admin/settings).
1. Paste your URL
Go to the Scan page and enter the URL of your deployed app (e.g. https://myapp.vercel.app).
2. Wait for results
Sekrd runs 15 security checks in parallel: secrets detection, dependency CVE scanning, DAST (dynamic application security testing), active DAST (XSS probing, CORS verification, rate limit testing, IDOR detection, open redirect, CSRF, error page analysis), Supabase RLS audit, Firebase rules check, authentication flow analysis, payment security, cost exposure analysis, GDPR compliance scanning, and MCP server security audit. You will see each provider complete in real time.
3. Review findings
Each finding includes a severity level (critical, high, medium, low, info), a description of the issue, its potential impact, evidence found, and a ready-to-use fix prompt tailored for your AI coding tool.
4. Fix with one prompt
Copy the universal fix prompt for the finding and paste it into any AI coding tool (Cursor, Claude Code, Lovable — same prompt, same result). It includes the full context the tool needs to generate the exact code fix.
Deep Scan
A free scan checks your app externally. A Deep Scan connects to your backend services to audit internal configuration that is invisible from outside.
Supabase Integration
Required credentials:
Project Ref— found in your Supabase dashboard URLService Role Key— Settings → API → service_role (secret)Database Password(recommended) — Settings → Database → Connection string password
Why we need the Database Password
The database password enables direct SQL access to pg_policies, which is the only way to read the actual SQL of your RLS policies (e.g., catching USING(true)). Without it, we can only detect whether tables are publicly accessible, not parse the policy logic. We perform strictly read-only operations.
Security best practice
All credentials are sent over HTTPS and used once for this audit, then immediately deleted. We never store your passwords. Change your database password in Supabase after the scan(Settings → Database → Reset database password). You can also revoke and regenerate the service role key.
We audit: RLS policy SQL on every table, auth configuration (email confirmation, password strength), storage bucket policies, and database roles.
Firebase Integration
Required credentials:
Project ID— found in Firebase console project settingsService Account JSON(optional) — Settings → Service accounts → Generate new private key
Recommended: create a dedicated read-only account
Create a new Service Account in your Firebase project and assign it the Viewer role. We only need read access to your security rules, not write. The JSON key is used once for the audit and immediately deleted. You can revoke the service account after the scan.
We audit: Firestore security rules, Realtime Database rules, Cloud Storage rules, Authentication providers, and exposed API keys.
Running a Deep Scan
After connecting your integrations in the dashboard, click "Deep Scan" on your project. The deep scan includes all free-scan providers plus the connected service audits. Results typically complete in 30-90 seconds.
Fix Prompts
Every finding includes copy-paste fix prompts tailored for popular AI coding tools. Each prompt includes the vulnerability context, evidence, and step-by-step instructions that the AI can use to generate the exact fix.
Cursor
- Click the Cursor tab on any finding card
- Click "Copy prompt" to copy it to your clipboard
- Open Cursor and press
Cmd+K(orCtrl+K) to open the AI chat - Paste the prompt — Cursor will generate the fix in context
Claude Code
- Click the Claude Code tab on any finding card
- Copy the prompt
- Paste it into your Claude Code terminal session
- Claude Code will edit the relevant files directly
Lovable
- Click the Lovable tab on any finding card
- Copy the prompt
- Paste it into the Lovable editor chat — it understands Supabase context natively
Combined Fix Prompt
Sign up to receive a single combined prompt that fixes all findings at once. This is sent via email as part of your PDF report, or available on the dashboard for authenticated users.
MCP Plugin
The Sekrd MCP server lets you scan URLs for vulnerabilities directly from your AI coding assistant. Install once, then just ask it to scan any URL.
Install
The server runs natively via NPX. No installation required. Source code: github.com/sekrdcom/sekrd-mcp-ts
Claude Code
claude mcp add sekrd -- npx -y @sekrd/mcp-serverWith API key (for paid plans, unlimited scans):
claude mcp add sekrd -e SEKRD_API_KEY=your_key -- npx -y @sekrd/mcp-serverClaude Desktop
Add to your claude_desktop_config.json:
{
"mcpServers": {
"sekrd": {
"command": "npx",
"args": ["-y", "@sekrd/mcp-server"],
"env": {
"SEKRD_API_KEY": "your_key_here"
}
}
}
}Cursor
Add to .cursor/mcp.json in your project root:
{
"mcpServers": {
"sekrd": {
"command": "npx",
"args": ["-y", "@sekrd/mcp-server"],
"env": {
"SEKRD_API_KEY": "your_key_here"
}
}
}
}API Key
- Without key: free scans per month subject to a per-IP rate limit
- With key: Unlimited scans on Pre-Launch and Continuous Pro plans — see pricing
Get your API key at Dashboard → Settings.
Available Tools
| Tool | Description |
|---|---|
| scan_url(url) | Free security scan — submits URL and waits for results |
| deep_scan(url, api_key) | Authenticated deep scan with Supabase/Firebase audit |
| get_scan(scan_id) | Retrieve a scan result by ID |
| get_report(scan_id) | Formatted report with findings grouped by severity |
| list_findings(scan_id) | List findings with fix prompts |
Usage Example
Once installed, just ask your AI assistant:
Scan https://myapp.vercel.app for security issuesThe scan runs 13 parallel security checks: secrets detection, dependency CVEs, DAST, Supabase RLS audit, Firebase rules, auth flow, payment security, cost exposure analysis, and GDPR compliance.
API Reference
All endpoints are served from your Sekrd instance. The default base URL is https://api.sekrd.com.
POST /api/v1/scan/url
Submit a free URL scan. Rate limited to 10 scans per IP per month on the free tier.
Request
curl -X POST https://api.sekrd.com/api/v1/scan/url \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_SEKRD_API_KEY" \
-d '{"url": "https://myapp.vercel.app"}'Response
{
"scan_id": "abc123",
"status": "queued",
"poll_url": "/api/v1/scans/abc123"
}GET /api/v1/scans/{id}
Poll scan status and results. Returns the full scan result when complete, including score, verdict, provider breakdown, findings, and fix prompts.
Request
curl https://api.sekrd.com/api/v1/scans/abc123Response (scanning)
{
"scan_id": "abc123",
"status": "scanning",
"progress": "5/15 checks complete"
}Response (complete)
{
"scan_id": "abc123",
"url": "https://myapp.vercel.app",
"status": "complete",
"score": 72,
"verdict": "SHIP",
"summary": "3 issues found across 15 checks",
"duration_ms": 12340,
"providers": {
"secrets": { "score": 0, "findings": 0 },
"dependencies": { "score": 15, "findings": 2 },
"dast": { "score": 10, "findings": 1 }
},
"findings": [
{
"id": "f1",
"severity": "high",
"provider": "dependencies",
"title": "Known CVE in lodash@4.17.20",
"description": "...",
"fix_prompts": {
"cursor": "...",
"claude_code": "...",
"lovable": "...",
"bolt": "..."
}
}
]
}GET /api/v1/scans/{id}/report.pdf
Download the full PDF security report for a completed scan. Includes all findings, scores, and fix prompts in a printable format.
Request
curl -o report.pdf https://api.sekrd.com/api/v1/scans/abc123/report.pdfGET /badge/{id}.svg
Returns an SVG security badge for the given scan. The badge color reflects the score verdict (green for SHIP, red for BLOCK).
Request
curl https://api.sekrd.com/badge/abc123.svgWebhooks
Set up webhooks to get notified when scans complete. This is useful for CI/CD pipelines and continuous monitoring.
Vercel Deploy Hook
Trigger a Sekrd scan automatically every time you deploy to Vercel:
- Go to your Sekrd dashboard and copy your project webhook URL
- In Vercel, go to Project Settings → Git → Deploy Hooks
- Create a new hook and paste the Sekrd webhook URL
Webhook URL format
https://api.sekrd.com/api/v1/webhooks/deploy/{project_id}Webhook Payload
When a scan completes, Sekrd sends a POST request to your configured webhook URL:
{
"event": "scan.complete",
"scan_id": "abc123",
"url": "https://myapp.vercel.app",
"score": 72,
"verdict": "SHIP",
"findings_count": 3,
"critical_count": 0,
"high_count": 1,
"timestamp": "2026-03-25T12:00:00Z"
}Badge
Show your security score in your README with the Sekrd verified badge. The badge updates automatically when you run new scans.
Markdown
Copy this into your README.md
[](https://sekrd.com/report/YOUR_SCAN_ID)HTML
Or use an HTML img tag
<a href="https://sekrd.com/report/YOUR_SCAN_ID">
<img src="https://api.sekrd.com/badge/YOUR_SCAN_ID.svg" alt="Sekrd Security Score" />
</a>Replace YOUR_SCAN_ID with the scan ID from your latest scan. You can find this in the URL of your scan results page or in the API response.
Monitoring
Sekrd provides automated security monitoring for Pro subscribers. This includes scheduled re-scans (daily, weekly, or monthly), uptime monitoring, and instant alerts via email and Telegram.
Setup: Add the Monitoring Script
After creating a project in your dashboard, you'll get a unique script tag. Add it to your app's HTML:
<script defer src="https://api.sekrd.com/monitor/YOUR_PROJECT_ID.js"></script>Next.js (App Router)
// app/layout.tsx
import Script from 'next/script'
export default function RootLayout({ children }) {
return (
<html>
<head>
<Script
src="https://api.sekrd.com/monitor/YOUR_PROJECT_ID.js"
strategy="afterInteractive"
/>
</head>
<body>{children}</body>
</html>
)
}React (Vite / CRA)
Add to index.html before the closing </head> tag:
<script defer src="https://api.sekrd.com/monitor/YOUR_PROJECT_ID.js"></script>What It Collects
- JS Errors — runtime errors and unhandled promise rejections
- Pageviews — URL and referrer (no cookies, no PII)
What It Does NOT Collect
- No cookies or tracking
- No personal data or user identifiers
- No DOM content or screenshots
- Lightweight (<2KB), non-blocking, zero impact on your app
Pro Features
- Uptime Monitoring — 5-minute health checks with downtime alerts
- Automated Re-scans — custom schedule: daily, weekly, or monthly
- CVE Scanning — detect new vulnerabilities on every re-scan
- Email + Telegram Alerts — instant notifications on score drops, new findings, downtime
Configure alerts in Dashboard → Settings. Connect Telegram with one click.
AI Security Review
AI Security Review performs a deep analysis of your scan results using advanced language models. It goes beyond pattern-matching rules to understand business context, identify attack chains, and provide prioritized recommendations.
What AI Review Adds
After a scan completes, click Run AI Review on the report page. The AI analyzes all findings together and returns:
- Executive Summary — plain-English overview for founders and non-technical stakeholders
- Risk Level — overall critical / high / medium / low assessment
- Attack Chains — how multiple findings combine into larger attacks (e.g. "leaked key + weak RLS = full database access")
- Additional Findings — logic flaws, IDOR, and business-context issues that rule-based scanners miss
- Prioritized Recommendations — top 3 actions to take, in order of impact
Limits
Pre-Launch Audit: 10 AI reviews (during the 7-day re-scan window). Continuous Pro: 100 AI reviews/month. Free plan: not available (upgrade to Pre-Launch or Continuous Pro).
Accuracy
AI findings are flagged as AI-generated and should be verified. The AI sees only the scan results, not your source code, so some findings may be speculative. Use AI Review as an additional signal alongside the deterministic rule-based scan, not as a replacement.
Scoring
The Sekrd Trust Score is a 0–100 composite score calculated from findings across all 9 security providers. A higher score means fewer and less severe vulnerabilities.
Verdict
Every scan produces a binary verdict based on the Trust Score and findings:
| Verdict | Condition | Meaning |
|---|---|---|
| SHIP | Score ≥ 70, no critical findings | Safe to deploy. Fix remaining issues at your pace. |
| BLOCK | Score < 70 or any critical finding | Do not deploy. Fix critical issues first. |
How Deductions Work
Every scan starts at 100 points. Each finding deducts points based on its severity:
| Severity | Deduction |
|---|---|
| Critical | -25 points |
| High | -15 points |
| Medium | -8 points |
| Low | -3 points |
| Info | 0 points (informational only) |
Free Scan vs Deep Scan Verdict
Free scans run 9 of 15 checks (external only). Because they cannot test active vulnerabilities (XSS, CORS, rate limits, IDOR) or backend configuration, free scans do not give a SHIP/BLOCK verdict. Instead they show "No critical issues" or "Needs review" with a recommendation to run a deep scan before shipping. Only deep scans produce the full SHIP/BLOCK verdict.
Hard Blocks
Certain critical findings (exposed database credentials, admin panels without auth, etc.) are classified as hard blocks. A hard block forces the score to 0 regardless of other findings. This ensures that the most dangerous vulnerabilities cannot be masked by good scores elsewhere.
Provider Weights
All 15 checks contribute equally to the score. Findings from any provider are deducted from the same 100-point pool. The provider breakdown on your scan result shows the individual risk score per provider so you can see which area needs the most attention.
Account & Data
Account Deletion
You can delete your account at any time from Dashboard → Settings → Danger Zone → Delete Account. This permanently removes your account, all projects, scan history, and associated data. Active subscriptions are cancelled automatically. This action cannot be undone.
Data Export
Pro subscribers can export a compliance report (PDF) for any project from the project page. This includes all scan results, findings, and score history. For a full data export request, contact privacy@sekrd.com.
Cookies
Sekrd uses only essential cookies for authentication (NextAuth session token). We do not use tracking cookies, analytics cookies, or third-party advertising cookies. See our Privacy Policy for details.