This is a demo report with sample data. Sign up to analyze your own repository.

security

demo-startup/saas-mvp

8 issues

🚫 NOT SAFE TO DEPLOY

Critical security vulnerabilities and missing production safeguards detected. SQL injection risk, exposed secrets, and no rate limiting make this unsafe for production deployment.

Summary

Critical security flaws detected including SQL injection vulnerabilities, exposed API keys in git history, and missing authentication rate limiting. These issues pose immediate risk to user data and system integrity.

Issues Found (3)

SQL Injection in Login Authentication

CRITICAL

api/auth/login.ts:42

Description

User-supplied credentials are directly concatenated into SQL queries without parameterization in the authentication flow. An attacker can bypass authentication or extract sensitive data by injecting malicious SQL code.

Business Impact

CRITICAL: Attackers can gain unauthorized access to any user account or steal the entire user database including passwords and PII.

Recommendation

Use parameterized queries or an ORM like Prisma with prepared statements. Never concatenate user input directly into SQL.

Safe Fix Guidelines

Replace string concatenation with Prisma client methods or use pg.query with parameterized values ($1, $2, etc.)

API Keys Exposed in Git History

CRITICAL

.env.production

Description

Production API keys for Stripe, SendGrid, and AWS were found in commit 3f7a9b2 from 3 months ago. Even though they were removed in a later commit, they remain in git history and can be accessed by anyone with repository access.

Business Impact

CRITICAL: Exposed API keys allow attackers to send emails from your domain, charge your Stripe account, and access AWS resources.

Recommendation

Immediately rotate all exposed API keys. Use environment variables and never commit .env files. Add .env* to .gitignore and use git-secrets or similar tools.

Safe Fix Guidelines

Rotate keys in Stripe/SendGrid/AWS dashboards. Use GitHub secrets for CI/CD and environment variables for production.

Missing Rate Limiting on API Endpoints

HIGH

api/middleware/security.ts

Description

API endpoints for authentication, password reset, and data queries have no rate limiting. This makes the application vulnerable to credential stuffing, DDoS attacks, and data scraping.

Business Impact

HIGH: Attackers can brute-force passwords, overwhelm the server with requests, or scrape all user data.

Recommendation

Implement rate limiting using express-rate-limit or similar middleware. Set aggressive limits on auth endpoints (5 requests/minute) and moderate limits on data endpoints (100 requests/minute).

Safe Fix Guidelines

Add rate-limit middleware before route handlers. Store rate limit state in Redis for distributed deployments.

Ready to analyze your code?

Get your own comprehensive security, performance, and quality report in minutes. Connect your GitHub repository and ship with confidence.

Start Free Analysis Learn More

This is a demo report with sample data. Sign up to analyze your own repository.

security

demo-startup/saas-mvp

8 issues

🚫 NOT SAFE TO DEPLOY

Critical security vulnerabilities and missing production safeguards detected. SQL injection risk, exposed secrets, and no rate limiting make this unsafe for production deployment.

Summary

Issues Found (3)

SQL Injection in Login Authentication

CRITICAL

api/auth/login.ts:42

Description

Business Impact

CRITICAL: Attackers can gain unauthorized access to any user account or steal the entire user database including passwords and PII.

Recommendation

Use parameterized queries or an ORM like Prisma with prepared statements. Never concatenate user input directly into SQL.

Safe Fix Guidelines

Replace string concatenation with Prisma client methods or use pg.query with parameterized values ($1, $2, etc.)

API Keys Exposed in Git History

CRITICAL

.env.production

Description

Business Impact

CRITICAL: Exposed API keys allow attackers to send emails from your domain, charge your Stripe account, and access AWS resources.

Recommendation

Immediately rotate all exposed API keys. Use environment variables and never commit .env files. Add .env* to .gitignore and use git-secrets or similar tools.

Safe Fix Guidelines

Rotate keys in Stripe/SendGrid/AWS dashboards. Use GitHub secrets for CI/CD and environment variables for production.

Missing Rate Limiting on API Endpoints

HIGH

api/middleware/security.ts

Description

API endpoints for authentication, password reset, and data queries have no rate limiting. This makes the application vulnerable to credential stuffing, DDoS attacks, and data scraping.

Business Impact

HIGH: Attackers can brute-force passwords, overwhelm the server with requests, or scrape all user data.

Recommendation

Implement rate limiting using express-rate-limit or similar middleware. Set aggressive limits on auth endpoints (5 requests/minute) and moderate limits on data endpoints (100 requests/minute).

Safe Fix Guidelines

Add rate-limit middleware before route handlers. Store rate limit state in Redis for distributed deployments.

Ready to analyze your code?

Get your own comprehensive security, performance, and quality report in minutes. Connect your GitHub repository and ship with confidence.

Start Free Analysis Learn More