How it works

PreFlight is a free in-browser security audit for AI-built apps. Open the page, point it at your code, read what it found, fix what matters. Nothing leaves your machine. This page is the full tour.

The three ways to scan

• GitHub URL. Paste github.com/<you>/<repo>.git. The browser fetches the public source directly from raw.githubusercontent.com. Private repos use a token you provide in Settings; it goes to GitHub, never to us.
• Local folder. Pick a directory. The File API reads it in the tab. The bytes never upload anywhere.
• Paste. Drop a single file or snippet in for a quick look.

Reading a finding

Each finding is one row: a severity chip, the category, the CWE id, and the title. Expand it for the evidence line, a short code snapshot, and the specific fix. The chips on the row tell you more at a glance:

• OWASP. The OWASP Top 10 / LLM category the pattern maps to.
• Confidence and fixability. Whether the match is deterministic or wants a glance, and whether the fix is a drop-in, a review, or architectural.
• MAPS TO. When the pattern touches a code-detectable regulatory clause (HIPAA, PCI-DSS, GDPR, SOC2), the framework shows here. It says "indicative" or "direct" and is an interpretation, never a certification.
• Breakers. Inside the expanded finding, the concrete adversarial input an attacker would type. Static strings with a copy button. PreFlight never runs them.
• Explain & Verify. An optional pass that uses your own AI key (BYOK) to talk through the finding. The key goes straight from the tab to your provider.
• Suppress. Mark a finding handled or not-applicable. The decision is keyed to a stable id so it survives reformatting and re-scans.

Coverage is scoped: not everything fires every time

PreFlight covers 14 languages. Every probe is scoped to the files and constructs it applies to. A Rust deserialization probe only looks at Rust; a Django setting probe only looks at Python config. On a single-language project the probes for other languages stay silent by design. You see signal for the code you actually wrote, not a wall of irrelevant checks.

The compliance lens

When a scan produces findings that map to a regulatory clause, a collapsible Regulatory mapping panel appears above the list. It rolls every mapping up by framework and clause so a non-coder can read the picture without opening 40 cards, and it exports a plain-text auditor handoff. It also states plainly what PreFlight does not scan. FERPA, SOX, FDA 21 CFR 11, FTC, and the EU AI Act are taught in the Learn pages, not detected, because they are not decidable from source code.

Learn

Every finding links to a write-up: what the pattern is, why AI emits it, what has gone wrong in the field, and how to fix it. The Learn tab also holds field reports on named incidents, the OWASP coverage map, a glossary, the Breakers catalogue, vetted external resources, and the compliance pages.

Re-scan, baseline, export

Scan the same source again and PreFlight shows the delta since last time: what is new, what is fixed, what is still open. Export the full result as JSON or Markdown, a PR comment, or an agent prompt. History and suppressions live in your browser only.

What it is not

• Static analysis only. It does not run your code or probe your endpoints.
• Not a certification, an SBOM, or a license tool. Those exist elsewhere.
• Not a replacement for professional review. It catches the class of failure someone assumed was already being watched.