Admin users route may be exposed
app/api/admin/users/route.ts:12
GET returns user records before any session or admin-role check is visible.
The security review system for AI-built apps
Purpose-built for launch-risk reports. Designed for the era of agents, generated code, and founders shipping before their security model catches up.
Scanner-backed previewgithub.com/example/ai-saas
RiskyQueue
Fix now
03/118 checks
Critical
Stripe webhook does not verify signatures
app/api/stripe/webhook/route.ts:21
User records query may miss ownership filtering
lib/projects.ts:44
Next action
Require a server-side session and admin-role check before returning user records. Add a logged-out and non-admin regression test before marking this fixed.
Prioritize the dangerous flows
Auth, admin, payment, data, uploads, AI tools, and rate limits are treated as first-class risk surfaces.
Show the evidence
Findings point to files, line numbers, confidence, and the concrete signal that triggered the rule.
Keep monitoring focused
Watch is scoped to new urgent issues and previous-scan comparison, not another dashboard to maintain.
A new species of app risk report
Built around the repair decision.
AbyssGuard turns a source snapshot into an ordered review of what can expose data, bypass payment, unlock admin access, or make the next change harder to trust.
01
Scan for high-signal patterns
Deterministic rules run before any AI explanation layer, so results are repeatable and cheap to verify.
02
Separate risk from cleanup
App Risk, Code Health, and Test Confidence stay separate so messy code does not hide urgent safety issues.
03
Move directly to a fix
Paid reports unlock repair prompts and verification steps that fit how founders actually work with AI coding tools.
1.0 Intake
Turn a repo into a prioritized risk queue
Start with a public GitHub URL or a private OAuth snapshot. AbyssGuard reads bounded source files, runs deterministic checks, and keeps raw source out of durable report storage.
github.com/founder/ai-saasscanning
Secrets7 filescomplete
Auth and admin18 routesreviewing
Payments4 handlersqueued
AI tools3 routesqueued
2.0 Review
Understand the issue before changing code
Each full finding explains why it matters, what evidence was found, how confident the scanner is, and which verification steps prove the fix worked.
Admin users route may be exposed
Criticalapp/api/admin/users/route.ts
Webhook does not verify signatures
Criticalapp/api/paddle/webhook/route.ts
User records query may miss ownership filtering
Highlib/projects.ts
3.0 Repair
Give your coding agent a narrow job
The report turns risky flows into constrained repair prompts: preserve response shapes, avoid broad refactors, add focused tests, and re-scan after changes.
Repair prompt
Goal: fix Fix now issues first without broad refactors.
1. Add server-side auth before admin data access.
2. Verify webhook signatures before state changes.
3. Add focused tests for logged-out and forged-event cases.
After fixes: run tests, manually verify, then re-scan.
Pricing
Choose report depth without leaving the product story.
Start with proof from a free preview, unlock a one-time report when the findings are useful, then monitor only after the app is worth watching.