Replit security scan
Scan your Replit app for exposed keys and open databases
Apps deployed from Replit often ship with a secret in the client or an environment file that is reachable from the outside. The scan checks what a stranger can already pull from your live app.
A sample of what you might see
A request to /.env returned environment variables, which can include database URLs and secrets.
{ "DATABASE_URL": "postgres://•••" }Illustrative, redacted. We never store your data.
It is read-only: it reads only what a browser downloads and checks your database access from the outside.
JavaScript and TypeScript apps today. The scan is passive and outside-in. How the scanner stays safe.
Questions
Is the scan safe for my Replit app?
Yes. It is read-only and outside-in, never logs in and never writes. See the scanner-safety page.
Do you need my Replit account?
No. Paste the deployed app URL and confirm you own it.
Which check do I need?
Check my live app
Scan a deployed URL for what it leaks to any visitor: exposed keys, open databases, reachable files.
Free instant scan →
Check my repo / CI hygiene
Review your GitHub Actions and repository config for security gaps in how you build and ship.
Repo & CI check →
Get it fixed
We verify the issues, fix them, and prove the fix in a reviewable pull request.
See packages →