Source map leak scanner
Check if your app is publishing source maps that reveal your code
Source maps make debugging easier, but if they ship to production they let anyone reconstruct your original source, including comments and any secret that was hard-coded.
A sample of what you might see
A .js.map file is publicly reachable, so your original source can be reconstructed by anyone.
{ "file": "main.•••.js.map", "reachable": true }Illustrative, redacted. We never store your data.
The scan checks whether your bundle references reachable .map files. It reads only what is already public.
JavaScript and TypeScript apps today. The scan is passive and outside-in. How the scanner stays safe.
Questions
Are source maps always a problem?
Not always, but shipping them to production is usually unintended and can leak code and secrets. The safe default is to not publish them.
How do I stop publishing source maps?
It is a build-config change for most frameworks. We can make and prove that change in a reviewable pull request.
Which check do I need?
Check my live app
Scan a deployed URL for what it leaks to any visitor: exposed keys, open databases, reachable files.
Free instant scan →
Check my repo / CI hygiene
Review your GitHub Actions and repository config for security gaps in how you build and ship.
Repo & CI check →
Get it fixed
We verify the issues, fix them, and prove the fix in a reviewable pull request.
See packages →