Documentation

Everything you need to use PolyDefender

Getting StartedWhat We CheckAPI ReferenceAuto-Scan on Deploy

Getting Started

Create a Free Account

Sign up at vibescan.io/register. Every new account gets 1 free lifetime scan - no credit card required. See your full security score and severity breakdown. Upgrade to unlock step-by-step fix instructions.

Scan Your App

Go to Dashboard → New Scan. Paste your app's URL and click Scan. Results appear within 1–3 minutes depending on your app.

Read Your Report

Your security score is 0–100. Above 80 means you're in good shape. Below 60 means there are things that need fixing. Issues are sorted by urgency so you know where to start.

API Reference

Authentication

All API requests require an API key in the Authorization header: `Authorization: Bearer vsk_your_key_here`

Generate keys in Account Settings → API Keys.

POST /v1/scan

Start a new scan.

Request body:
{
  "url": "https://your-app.com",
  "modules": ["all"],  // or specific module names
  "aggressive": false
}

Returns: { "scan_id": "uuid", "status": "pending" }

GET /v1/scan/:id

Get scan status and results.

Returns the full scan object including security_score, summary, and all findings once complete.

Poll every 5 seconds until status is "completed" or "failed".

GET /v1/scan/:id/findings

Get paginated findings for a scan.

Query params:
- severity: critical|high|medium|low
- page: 1 (default)
- limit: 50 (default, max 100)

Returns: { findings: [...], total: N, page: N }

What We Check

Leaked Keys & Passwords

We look for API keys, passwords, and secret tokens that got left in your published app code. This includes OpenAI keys, Stripe keys, AWS credentials, Supabase keys, GitHub tokens, and database passwords. If found, anyone on the internet can use them.

Database Open to Anyone

We test whether your database (Supabase, Firebase, etc.) requires login to access. If not, any visitor could read, edit, or delete your users' data - emails, payments, private messages - without a password.

Browser Protections Missing

We check for 6 basic browser defenses your app should have. Without them, attackers can run malicious scripts in your users' browsers, steal their sessions, or hijack your app's pages.

AI Code Pattern Issues

We check for common mistakes AI tools make: login checks that only happen in the browser (easy to bypass), missing rate limits on your login form, sensitive data being logged, and file uploads with no type checking.

Code Injection Risks

We check if attackers can type malicious commands into your search boxes, login fields, or other inputs. This can expose your entire database or run malicious code on your server.

Fake & Malicious Packages

AI tools sometimes make up package names that don't exist. Attackers register those fake names with malware inside. We check every package your app uses against a list of known fake and malicious packages.

Outdated Software with Known Hacks

We detect your Next.js and React versions and check if they have known security holes that attackers already have tools to exploit. Keeping your frameworks updated closes these doors.

Hidden Info Leaks

We check if your app accidentally reveals things it shouldn't - like which software you're running, detailed error messages that help attackers, and mixed secure/insecure content.

Auto-Scan on Deploy

GitHub Actions Setup

# .github/workflows/vibescan.yml
name: PolyDefender Security Check
on:
  push:
    branches: [main]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - name: Run PolyDefender
        run: |
          SCAN=$(curl -s -X POST https://vibescan.io/v1/scan \
            -H "Authorization: Bearer ${{ secrets.VIBESCAN_API_KEY }}" \
            -H "Content-Type: application/json" \
            -d '{"url": "https://your-app.vercel.app"}')
          SCAN_ID=$(echo $SCAN | jq -r '.scan_id')
          # Poll for results
          for i in {1..24}; do
            sleep 10
            RESULT=$(curl -s https://vibescan.io/v1/scan/$SCAN_ID \
              -H "Authorization: Bearer ${{ secrets.VIBESCAN_API_KEY }}")
            STATUS=$(echo $RESULT | jq -r '.status')
            if [ "$STATUS" = "completed" ]; then
              SCORE=$(echo $RESULT | jq -r '.security_score')
              echo "Security score: $SCORE"
              CRITICAL=$(echo $RESULT | jq -r '.summary.critical')
              if [ "$CRITICAL" -gt "0" ]; then
                echo "FAIL: $CRITICAL urgent issues found"
                exit 1
              fi
              exit 0
            fi
          done
          echo "Scan timed out"
          exit 1

Block Deployments on Urgent Issues

The GitHub Action above will automatically stop a deployment if PolyDefender finds urgent security issues. This means problems get caught before your users ever see them.

You can adjust the threshold - blocking only on urgent issues, or also on serious ones.

Need Help?

We reply to all support questions within 24 hours. No bots - a real person will help you.

Contact Support