Skip to content
TaskBounty
Free pre-launch check · public repos

Built it with Lovable, Bolt, Replit, Cursor, or v0? Check the launch risks first.

Before real users touch your app, TaskBounty reviews your public repo's GitHub Actions and CI/security hygiene, then helps turn findings into reviewed fixes. For private repos, your source stays in your environment.

What did you build it with?
Where is it hosted? (optional)

Public data only. No app is run and no workflow is triggered. Sensitive candidates are never published.

Prefer to check it yourself first? Grab the copy-paste security prompts. Need the full launch flow? Use the pre-launch checklist.

Local check

Check a repo from your terminal

No network by default
npx taskbounty-check@latest .

Runs locally and checks GitHub Actions + CI hygiene. It writes a local report and does not upload source code or workflow contents.

Want it inside your workflow? Copy the Cursor, Claude, Codex, and GitHub Actions snippets.

It is not a full app security audit: secrets, auth, payments, webhooks, and runtime behavior still need a manual review. For help turning findings into fixes, request a confidential review.

Need to check private repositories?

The free check is public-repos only. For private repos we run a confidential review — your choice of method.

What this check covers

GitHub Actions hygiene

Third-party actions pinned to a movable tag, broad workflow token permissions, and missing permissions blocks.

Update automation

Whether Dependabot or Renovate is keeping your CI dependencies current.

CI config patterns

Workflow patterns whose security implications depend on context — flagged for a private review, never published.

What it does not check (yet)

We only claim what we actually test. This public check does not look at:

  • Exposed secrets in your code (run the local check for that — source never leaves your machine).
  • Auth, payment, and webhook logic — these need a manual review, which we recommend before launch.
  • Runtime behavior or live endpoints. This reads public repo configuration only; no app is run and no workflow is triggered.

Need a private-repo review where source never leaves your machine? See the confidential review.

What you receive

  • A plain-language launch-readiness summary of what was reviewed.
  • Findings grouped by category, with the evidence we observed.
  • Honest labels: observed fact, candidate to review, or recommended practice. Nothing is called a confirmed vulnerability.
  • A shareable report link. Reports are unlisted by default.

Turn findings into fixes

After you authorize a deeper review, we confirm scope, privately review any sensitive candidates, and propose focused changes as reviewable pull requests for your approval. Nothing is opened or changed automatically. See Security Hardening and the methodology for our safety boundaries.