Question 1

Does PreFlight send my source code to a server?

Accepted Answer

No. All scanning happens in your browser tab. When you select files or a folder, contents are read locally with the File API and never uploaded. When you scan a public GitHub URL, the tool fetches raw blobs from raw.githubusercontent.com directly from your browser. The tool's origin never sees them. No analytics beacons, no remote storage.

Question 2

What does PreFlight check?

Accepted Answer

96 probes covering hardcoded secrets (AWS, Stripe, OpenAI, Anthropic, GitHub, etc.), NEXT_PUBLIC_ leak of server secrets, Supabase Row-Level-Security misconfigurations, Firebase permissive rules, JWT algorithm: none, package.json supply-chain hooks, known-compromised package versions (Shai-Hulud / Axios / Mini Shai-Hulud / TanStack worm), typosquatted and LLM-hallucinated package names, MCP server command-injection patterns, Cursor / Copilot rules-file backdoors, Trojan Source Unicode, prompt-injection sinks, system-prompt leakage to client bundles, missing security headers, CORS wildcards, SSRF and open-redirect patterns, HTML hygiene (inline handlers, mixed content, CSP, target=_blank without rel=noopener), SQL injection via template literals, path traversal, weak randomness, stack-trace leaks, subresource integrity, source-map exposure, iframe sandbox, security logging, RAG ingestion, vector / embedding weaknesses, and multi-language adapters (Python, Go, Ruby, PHP, Java, Kotlin, Swift, Scala, Elixir, Dart, C#, Rust). Every finding carries its OWASP category code(s).

Question 3

Is PreFlight free?

Accepted Answer

Yes. No signup, no credit card, no usage limits. Free forever for the browser tool itself. Optional AI features (Explain & Verify, agent-prompt formatting) require you to bring your own API key; whatever the AI provider charges goes to them, not to us.

Question 4

What kind of tool is this, and what is it NOT?

Accepted Answer

A free, in-browser static security audit. You drop in a folder or paste a GitHub URL. You get a report. It focuses on failure modes specific to AI-generated code (prompt-injection sinks, MCP server misconfig, Cursor / Copilot rules-file backdoors, slopsquatted packages, system prompts leaked to client bundles) plus 2025-2026 supply-chain incidents (Shai-Hulud, Axios / Sapphire Sleet, Mini Shai-Hulud) by exact version. It is NOT a continuously-running enterprise AppSec platform with seat counts, dashboards, ticket integrations, or runtime protection. It is a free pre-merge gate you can run before you commit. No signup. No data leaving your tab.

Question 5

Can PreFlight catch supply-chain attacks from 2025-2026?

Accepted Answer

Yes, by exact version. We hard-code known-compromised versions from Shai-Hulud (Sept 2025), Axios / Sapphire Sleet (March 2026), Mini Shai-Hulud SAP (April 2026), Bitwarden CLI 2026.4.0, the Mini Shai-Hulud TanStack worm (May 11, 2026), and more. Citations include CISA cybersecurity advisories, GTIG/Mandiant threat intelligence, Microsoft Threat Intelligence, the affected vendors' own security advisories, and the corresponding GitHub Security Advisory records.

Question 6

Does PreFlight work with apps not built by AI?

Accepted Answer

Yes. Most probes are framework-agnostic and apply to any JavaScript, TypeScript, Python, Go, Ruby, HTML, or SQL project. The vibe-coding framing is about who needs the help most, not about what code PreFlight is technically capable of scanning.

A library for vibers building vibeware.

PCI DSS v4.0 (the code-visible requirements)

What this is

Why an AI-generated app in this domain must care

What PreFlight does and does not do here

What an assessor looks for

Not legal advice

SOURCES