Hardcoded Credentials
Finds API keys, passwords, tokens, and secrets embedded directly in source code using pattern matching and entropy analysis.
ANALYSIS
Free account required
Code Analysis
Scan source code for hardcoded secrets, insecure patterns, and injection sinks.
Paste code from any language and get instant static analysis for the patterns that matter in bug bounty: hard-coded credentials, dangerous function calls, SQL query concatenation, missing input validation, and deserialization sinks.
What it detects
Hardcoded Credentials
SQL Injection Sinks
Insecure Cryptography
Dangerous Functions
Detection capabilities
What Code Analysis finds
SQL Injection Sinks
Identifies query concatenation patterns, raw SQL execution, and ORM bypass functions that create injection risk.
Insecure Cryptography
Flags weak hash functions (MD5, SHA1), ECB mode encryption, and insufficient random number generation.
Dangerous Functions
Detects eval(), exec(), system(), and similar functions that enable code execution or command injection.
Step-by-step guide
How to use Code Analysis
Paste your code
Supports JavaScript, TypeScript, Python, PHP, Java, Go, Ruby, and more. No account required.
Select language
Auto-detected in most cases. Override manually for accurate rule application.
Review results
Each finding links to the exact line, explains the risk, and suggests a secure alternative.
Keep going
Related tools
ANALYSISEXPLOIT
JWT Analyzer
Decode JWT tokens and test for algorithm confusion, weak secrets, and common exploits.
Use tool →
EXPLOIT
Payload Forge
Generate context-aware XSS, SQLi, SSRF, and SSTI payloads for security testing.
Use tool →
RECONANALYSIS
URL Analysis
Find open redirects, SSRF indicators, and injection points in any URL.
Use tool →
RaSEC Platform
Run Code Analysis as part of an overnight hunt.
All 8 tools in coordinated sequence
Deterministic reproduction
Copy-paste PoC reports
No credit cardCancel anytimeFree forever tier