Opzyai
The platform

Security built for apps built with AI.

Cursor, Lovable, v0 and Bolt ship working apps in minutes — and routinely leave keys in the browser, databases wide open and auth checks skipped. Opzyai catches all of it: a free Vibe Check of your live URL, then an optional deep scan of your repo — every finding with a fix you can paste straight back into your AI editor.

Run a free Vibe CheckSee how it works
Opzyai — security scanner for AI-built apps
How it works

From URL to fix, in plain English

No setup and no security degree. Paste a link, read real findings within seconds, then go deeper when you’re ready.

01

Paste your URL

No account, no install, no credit card. Just the link to your live app.

02

We probe what’s public

Opzyai reads your app the way an attacker would — the JS bundle, headers, exposed files and endpoints. Nothing is touched or exploited.

03

Launch Readiness score

A 0–100 score and a plain-English list of what’s exposed, ranked by how much it actually matters.

04

Paste-ready fixes

Every finding ships with a concrete fix written for your stack. Hand it to Cursor and ship the patch in minutes.

05

Connect your repo

Go deeper: git-history secrets, dependency CVEs and static analysis on the code itself — in a throwaway sandbox that’s deleted after.

06

Re-scan to prove it

Run it again and watch the finding close. Turn on monitoring to stay covered as you keep shipping.

See what you’re exposing

Exactly what’s leaking, in plain English

No CVE soup. Every finding tells you what’s exposed, why it matters, and what an attacker could actually do with it — in language you can act on without a security background.

  • Ranked by real-world impact, not raw severity
  • Plain-English explanations, zero jargon
  • A shareable Launch Readiness score
opzyai / findings
0 findings
ranked by exploitability
live
  • CRITICALSQL injectionsemgrep
  • HIGHHardcoded AWS access keygitleaks
  • HIGHVulnerable lodash 4.17.4trivy
  • MEDIUMMissing security headersweb-http
  • LOWVerbose error disclosurenuclei
auto-triaged · de-duped across tools3 new since last deploy
Fix, don’t just flag

Fixes you can paste back into Cursor

Every finding comes with a concrete, copy-pasteable fix written for the way you build. Hand it to your AI editor and ship the patch in minutes — then re-scan to confirm it’s closed.

  • Developer-ready fix per finding
  • Tuned for AI-built stacks — Next.js, Supabase, Vercel
  • Re-scan to prove it’s actually fixed
opzyai / finding · remediation
HIGHHardcoded AWS access key fix ready
// config/aws.ts
-const key = "AKIA3F9…Q7"
+const key = process.env.AWS_ACCESS_KEY
compliance evidence · always current
SOC 2 ISO 27001 GDPR OWASP
open risk ↓ trending down
Safe by construction

We can only scan what you own

The free Vibe Check only ever reads what your site already shows the public. Go deeper, and Opzyai re-verifies you own the target on every run — there is no override path in the code, and your code is cloned to a throwaway sandbox, then deleted.

  • Public scan touches only what’s already public
  • Ownership re-verified before every deep scan
  • Code cloned to a throwaway sandbox, then deleted
opzyai / scope guard
app.acme.com
verified
ownership re-verified on every run — no exceptions
  • Ownership verifiedre-checked 2m ago
  • Authorization signedowner@acme.com
  • Tenant isolationrow-level (RLS)
  • No override pathenforced in architecture
audit log · append-only
10:02:14 scan.authorized owner=verified
10:02:14 scope.locked sha256 0x9f3a…
10:02:15 run.started app.acme.com
What we catch

What AI coding tools quietly leave behind

Vibe-coding gets you to launch in a weekend. It also leaves a trail of security holes nobody is checking for — because there is no security team.

Keys in the browser

OpenAI, Anthropic and Stripe keys hardcoded into your client bundle — shipped to every visitor who opens dev tools.

A wide-open database

Exposed Supabase service-role keys, or tables with no row-level security — your users’ data, readable by anyone.

Exposed source & config

Public .env files, source maps and .git folders that hand attackers your code and credentials.

Unguarded endpoints

API routes with no auth check — anyone can call them, read other users’ data, or run up your AI bill.

Missing security headers

No CSP, permissive CORS, leaky cookies — the defaults your AI editor never set for you.

Secrets in git history

That key you rotated is still sitting in an old commit. Connect your repo and we’ll find it.

Capabilities

Free Vibe Check, then a deeper repo scan

The public scan needs only your URL. Connect a repo and the deep scan reaches the code, history and dependencies behind it.

Leaked-key scan

Finds API keys for OpenAI, Anthropic, Stripe and Supabase hardcoded into the JavaScript you ship to the browser.

Exposed-file checks

Flags public .env files, source maps and .git folders that hand attackers your code and credentials.

Headers & CORS

Catches the missing CSP, permissive CORS and leaky cookies your AI editor never set for you.

Git-history secrets

Connect your repo to find secrets still sitting in old commits — even ones you thought you’d rotated.

Dependency CVEs

Known-vulnerable packages and supply-chain risk in your dependencies, continuously watched.

Re-scan & monitor

Re-scan to confirm a fix landed, and get alerted the moment a new deploy exposes something.

Under the hood

Powered by the scanners security pros already trust

Opzyai doesn’t reinvent detection — it coordinates best-in-class open-source engines, runs them safely, and turns their noisy output into a short list of plain-English, ranked findings you can act on without a security background.

Not affiliated with the OSS projects it orchestrates.

nuclei
OSV.dev
Semgrep
Trivy
gitleaks
HTTP/header checks

See what your app is leaking — free.

Paste your URL, get a Launch Readiness score in seconds, and a fix for everything we find. No account required.

Run a free Vibe CheckTalk to us