Common questions before you upload

Upload a clean source archive for the project you want checked. Leave out dependency folders, generated build output, logs, local caches, .env files, secrets, and credentials.

Uploaded files are stored as private objects with server-generated names and automatically deleted after 7 days. The zip is not placed behind a public URL, and access is limited to the review workflow.

Yes. A verified account gets 2 free automated security score scans. The free result shows your score and launch-risk level, plus any leaked secrets and your critical and high-risk findings — with their location and how to fix them — in My Page. The full medium/low list, evidence, a verified badge, and a re-scan come with the Full Report.

Full Report is $19 during early access (regularly $29). After you buy and upload a zip, our scanner generates your full report instantly and automatically — every detected issue with its affected file, supporting evidence, and fix guidance, plus your score, risk level, and signal breakdown. It is a fully automated digital product with no human involvement, and includes one automated re-scan within 30 days. Automated analysis can include false positives, so it flags risk areas rather than certifying your app.

Yes. Auth, admin routes, user data access, file uploads, secrets, abuse controls, and production settings can matter before payments exist.

We queue the analysis and send an email confirming the upload. When your automated score or Full Report is ready, we email you again and point you back to My Page.

Not on the current self-serve plans. Free Security Score and Full Report are for private scoring and prioritization, not public certification.

The Full Report is generated and delivered instantly on upload, so once you have used your purchase to generate a report, it is not refundable. If you have not yet used your purchase, contact us to cancel for a refund.