Pre-launch security scanner that runs 100% offline — source code never leaves your machine. 16 scanners, 900+ checks across hardcoded secrets, AI-generated code patterns (the Vibe Code Pack), OWASP Top 10, infrastructure-as-code, and git history. Browser tier free forever; Pro desktop ($49) unlocks every finding. Built by The IOn Project.
Every scan runs the full catalogue across your code, configs, and commit history. The output is always one of two things — Ship It or Not Ready.
AWS keys, Stripe tokens, GitHub PATs, OpenAI keys, JWT secrets, PEM blocks, database URLs with embedded creds. 50+ provider patterns plus entropy detection for unknown formats.
The AI-generated vulnerability patterns that ship most often. // TODO: add auth, hardcoded passwords masquerading as placeholders, console.log of sensitive data, auth checks without await.
Every commit. Every stash. Catches secrets that were committed once, then "removed" — but they're still there in the history forever, accessible to anyone with clone access.
Tree-sitter structural analysis across 7 languages — JS, TS, Python, Java, Go, Ruby, PHP. SQL injection, command injection, XSS, SSRF, deserialization, broken access control.
Express, Next.js, Django, Flask, Rails, Laravel, React, Vue. Catches DEBUG=True in prod, NEXT_PUBLIC_ secrets, missing CSRF, dangerouslySetInnerHTML with user data, the classics.
Dockerfile, docker-compose, Terraform, GitHub Actions, Nginx. Plus 30+ deploy-readiness checks — TLS enforcement, DB SSL, K8s probes, healthcheck endpoints, env-var hygiene.
Auto-discovers every route in your codebase. Per-route check for auth middleware, input validation, rate limiting, CORS posture, and error handling. Find the unprotected admin route before someone else does.
ATS, keychain, UIWebView, SSL pinning. Service worker scope and cache poisoning. GraphQL introspection, depth limits, resolver auth. Plus email security and accessibility.
GDPR, CCPA, App Store ATT, Google Play Data Safety. PII-in-logs detection. Catches what your legal team will catch later — except now you have time to fix it.
Browser scanner: drop a folder or zip. Desktop: pick any directory on disk. Nothing uploads. Your code never crosses to a server — verifiable in DevTools.
Browser tier scans 109 patterns in under a minute. Desktop runs all 16 scanners and 900+ checks against 10k files in under 45 seconds — Rayon parallel, Rust-powered.
A–F grade, severity counts, and one of two binary verdicts: SHIP IT or NOT READY. Top 3 priorities surfaced first. Fix list ranked by severity divided by effort.
Every scan ends with a verdict. Either you can ship, or you can't. Gated on zero critical findings. No "moderate risk" non-answers.
Grade, verdict, and your top finding — always free, no trial caps. Pro unlocks every finding, Fix This First, scan diff, and full history.
You shipped fast with AI help. Now you want to know what slipped through. The Vibe Code Pack catches the patterns Cursor, Copilot, and Claude generate when they're guessing — TODO-auth, fake placeholders, missing awaits.
No security team to bug. No budget for SOC2-grade tooling. You need a fast, honest "ship or not" answer the day before launch — and a fix list ranked by severity-divided-by-effort so you spend your last 24 hours on what actually matters.
Five seats, shared suppressions committed in Git, branded PDFs for the post-mortem. Run it as the last step of your release checklist. Run it again post-launch as a regression gate.
SSO, audit logs, SOC2 / ISO 27001 / HIPAA mapping, SBOM generation, SARIF for GitHub Security. Business and Enterprise tiers. Self-hosted everything; nothing leaves your infra.
Most security tools either upload your code, hide their disclaimer in fine print, or do both. IOnclad inverts that.
Open DevTools → Network → run a scan → confirm zero requests. Your code never reaches our servers because we don't have servers. Browser scanner is static HTML+JS on Cloudflare; desktop is Tauri+Rust on disk.
Every scan results page shows the same disclaimer about scope: we cover known patterns and common misconfigurations, not a comprehensive pen test. No fine print. The honest framing is the brand position.
The grade and verdict are always free, no trial caps, no email walls. You pay for the workflow depth — full findings, Fix This First, history, diff. Conversion happens because you want depth, not because you can't see basics.
Most security tools assume you've already shipped and are firefighting. IOnclad runs at the moment when fixing is cheapest — before launch. Plus a Post-Launch mode that escalates secret-leakage severity (because once committed, it's worse).
Most scanners look at HEAD. Real attackers look at git log -p --all. We walk every commit and every stash with libgit2, then run the same secret patterns against the diffs.
Ed25519 offline license validation. No phone-home. The auto-updater is opt-out. When disabled, the desktop app makes zero network calls, ever. Compliance teams can verify in the app's privacy page.
These checks cover known vulnerability patterns and common misconfigurations. They do not constitute a comprehensive penetration test, security certification, or guarantee against all possible attack vectors. Users remain responsible for their own security posture, including secure coding practices, ongoing monitoring, and professional security review where appropriate.
Your code never leaves your machine. Free verdict, no signup, no email wall.
WINDOWS · MACOS & LINUX COMING SOON