Question 1

Does PreFlight send my source code to a server?

Accepted Answer

No. All scanning happens in your browser tab. When you select files or a folder, contents are read locally with the File API and never uploaded. When you scan a public GitHub URL, the tool fetches raw blobs from raw.githubusercontent.com directly from your browser. The tool's origin never sees them. No analytics beacons, no remote storage.

Question 2

What does PreFlight check?

Accepted Answer

96 probes covering hardcoded secrets (AWS, Stripe, OpenAI, Anthropic, GitHub, etc.), NEXT_PUBLIC_ leak of server secrets, Supabase Row-Level-Security misconfigurations, Firebase permissive rules, JWT algorithm: none, package.json supply-chain hooks, known-compromised package versions (Shai-Hulud / Axios / Mini Shai-Hulud / TanStack worm), typosquatted and LLM-hallucinated package names, MCP server command-injection patterns, Cursor / Copilot rules-file backdoors, Trojan Source Unicode, prompt-injection sinks, system-prompt leakage to client bundles, missing security headers, CORS wildcards, SSRF and open-redirect patterns, HTML hygiene (inline handlers, mixed content, CSP, target=_blank without rel=noopener), SQL injection via template literals, path traversal, weak randomness, stack-trace leaks, subresource integrity, source-map exposure, iframe sandbox, security logging, RAG ingestion, vector / embedding weaknesses, and multi-language adapters (Python, Go, Ruby, PHP, Java, Kotlin, Swift, Scala, Elixir, Dart, C#, Rust). Every finding carries its OWASP category code(s).

Question 3

Is PreFlight free?

Accepted Answer

Yes. No signup, no credit card, no usage limits. Free forever for the browser tool itself. Optional AI features (Explain & Verify, agent-prompt formatting) require you to bring your own API key; whatever the AI provider charges goes to them, not to us.

Question 4

What kind of tool is this, and what is it NOT?

Accepted Answer

A free, in-browser static security audit. You drop in a folder or paste a GitHub URL. You get a report. It focuses on failure modes specific to AI-generated code (prompt-injection sinks, MCP server misconfig, Cursor / Copilot rules-file backdoors, slopsquatted packages, system prompts leaked to client bundles) plus 2025-2026 supply-chain incidents (Shai-Hulud, Axios / Sapphire Sleet, Mini Shai-Hulud) by exact version. It is NOT a continuously-running enterprise AppSec platform with seat counts, dashboards, ticket integrations, or runtime protection. It is a free pre-merge gate you can run before you commit. No signup. No data leaving your tab.

Question 5

Can PreFlight catch supply-chain attacks from 2025-2026?

Accepted Answer

Yes, by exact version. We hard-code known-compromised versions from Shai-Hulud (Sept 2025), Axios / Sapphire Sleet (March 2026), Mini Shai-Hulud SAP (April 2026), Bitwarden CLI 2026.4.0, the Mini Shai-Hulud TanStack worm (May 11, 2026), and more. Citations include CISA cybersecurity advisories, GTIG/Mandiant threat intelligence, Microsoft Threat Intelligence, the affected vendors' own security advisories, and the corresponding GitHub Security Advisory records.

Question 6

Does PreFlight work with apps not built by AI?

Accepted Answer

Yes. Most probes are framework-agnostic and apply to any JavaScript, TypeScript, Python, Go, Ruby, HTML, or SQL project. The vibe-coding framing is about who needs the help most, not about what code PreFlight is technically capable of scanning.

A library for vibers building vibeware.

.env files tracked in source control

What this is

Why it matters

What the failure looks like

What the fix looks like

Related

Sources

RELATED PROBES

SOURCES