127 repos scanned and counting
How It Works
1
Paste your repo URL
Any public GitHub repo. Tuned for Next.js + Supabase.
2
We find the issues hackers actually exploit
Leaked secrets, auth gaps, RLS misconfigs, SQL injection, XSS, and more.
3
Get copy/paste fixes
Plain English explanations with the exact code to fix each issue.
Scan Repository
Tuned for Next.js + Supabase · Free: 5 scans/day · Pro: Unlimited + deeper checks + private repos
What You'll Get
NEXT_PUBLIC_ Secret Exposed
CRITICAL
.env.local:3
Fix: Remove NEXT_PUBLIC_ prefix. Use server-side only:
SUPABASE_SERVICE_ROLE_KEY=your-key
API Route Missing Auth
HIGH
app/api/users/route.ts:5
Fix: Add auth check:
const session = await getServerSession(); if (!session) return Response.json({error: "Unauthorized"}, {status: 401})
Real findings include copy/paste fixes for your exact code
Starting scan...
- Cloning repository
- Scanning for leaked secrets
- Checking auth & RLS
- Analyzing results
Scan Results
0
Total
0
Critical
0
High
0
Medium
See all findings
Enter your email to unlock the full report with all findings and fixes.
✅ Yikes Verified
No critical or high severity issues found. Scan again after fixing to earn this badge.
How Yikes Compares
| Yikes | Snyk | GitHub Advanced Security | |
|---|---|---|---|
| Setup time | 30 seconds | 15+ minutes | 10+ minutes |
| Plain English findings | ✓ | ✗ | ✗ |
| Copy/paste fixes | ✓ | ✗ | ✗ |
| Next.js + Supabase specific | ✓ | ✗ | ✗ |
| Supabase RLS checks | ✓ | ✗ | ✗ |
| Human code review + PR | Fix Pack | ✗ | ✗ |
| Private repo scanning | ✓ | ✓ | ✓ |
| Starting price | Free | $50/mo | $49/user/mo |
Go from "yikes" to "yikes-free"
Free scans show every issue. Paid plans unlock private repos and get your code fixed.
Free
$0
- 5 scans per day
- Full report — all findings
- Fix suggestions on every issue
- Public repos only
Pro
$19.99
- Everything in Free
- Private repo scanning
- Premium rules (RLS, auth gaps)
- PDF report with fix code
- 50 scans included
Fix Pack
$49.99
- Everything in Pro
- I review your code personally
- PR with fixes opened on your repo
- Plain English explanations
- Delivered in 48 hours
Frequently Asked Questions
Is my code stored?
No. Your repository is cloned temporarily for scanning, then immediately deleted. We never store your source code. Scan results are kept temporarily so you can view them, then purged.
What exactly do you scan for?
We scan for the vulnerabilities hackers actually exploit: leaked secrets in environment files (especially NEXT_PUBLIC_ prefixed keys), Supabase Row Level Security misconfigurations, API routes without authentication, SQL injection patterns, XSS vulnerabilities, CORS misconfigurations, missing rate limiting, Stripe webhook signature verification, and more.
Does it work with non-Next.js projects?
Yes! General security checks like leaked secrets, SQL injection, and XSS work on any JavaScript/TypeScript project. However, the deeper checks for Supabase RLS, Next.js API routes, and middleware are specifically tuned for the Next.js + Supabase stack.
What's included in the Fix Pack?
I (Adam, the founder) personally review your codebase, identify every security issue, write the fixes, and open a pull request on your repo within 48 hours. No AI middleman — a real human reading your code and writing secure patches.
Can I scan private repositories?
Yes! Pro subscribers can connect their GitHub account with one click. We use OAuth so you never share your password — you just authorize Yikes to read your repos. Your token is stored securely and you can disconnect anytime. Private repo scanning is included in all paid plans.
How is Yikes different from Snyk or GitHub Advanced Security?
Yikes is purpose-built for indie hackers and solo developers using Next.js + Supabase. Instead of 40-page PDF reports full of CVE numbers, you get 2-5 actionable findings in plain English with copy/paste fixes. Setup takes 30 seconds (paste a URL), not 15 minutes of CI/CD configuration. And it starts free.