Features

Every Capability, and the Benefit Behind It

CloviScan goes from your public surface down to your source code and the JSON your app actually ships to the browser. Here is each capability, a quick visual of how it works, and what it does for you.

Website Audit

Your public-facing posture as an attacker sees it: SSL/TLS grade, security headers (CSP, HSTS, X-Frame-Options), DNS records (SPF/DKIM/DMARC), and exposed files like .env or .git/config.

Your domainExternal probeHeaders · SSL · DNS · exposed files

Benefit: close the gaps the internet can already see.

Code / GitHub Scan

Connect a repository or upload source and CloviScan reads the actual code — hardcoded secrets, SQL-injection patterns, unsafe innerHTML/eval, missing CSRF protection, and dependencies with known CVEs via lockfile analysis.

GitHub repoStatic analysisFindings + line numbers

Benefit: catch the dangerous pattern before it ships.

Server Security

The configuration under your app: SSH root-login and auth mode, open ports exposing databases or admin panels, EOL software versions, and intrusion-protection status (Fail2ban, ModSecurity).

Benefit: a hardened server, not just hardened code.

AI Autofix — researched remediation

Every finding ships with a plain-English explanation and a copy-paste fix. The AI does researched remediation: it grounds each fix in a retrieval-augmented (RAG) knowledge base of known issues and patterns, so the guidance fits the specific finding — not a generic boilerplate.

FindingRAG remediation KBExplanation + copy-paste fix

Benefit: resolve issues today, not next sprint.

The leak isn't in your HTML — it's in the JSON you ship

Header scanners read your raw HTML and stop. But modern apps render in the browser and fetch data over the network. The real leak — an internal ID, an email, a token, a debug field — is usually in the JSON or XHR response, not the page source. CloviScan crawls the rendered page and inspects the network responses your app actually delivers.

Load page (rendered)Capture XHR / JSON responsesScan payloads for leaked fields
  • Detects sensitive fields exposed in API/JSON responses that never appear in HTML source.
  • Catches data over-fetching — endpoints returning more than the UI needs.
  • Flags tokens, internal IDs, and PII shipped to the client.

Monitoring

Schedule re-scans and get notified when your security posture changes — a certificate nearing expiry, a header that disappeared, or a newly exposed file. Track your score over time instead of checking once and forgetting.

Pre-launch QC gate

Run CloviScan as a gate before you ship. Block a launch on critical findings, then re-scan to confirm they're resolved. It turns "we'll check security later" into a pass/fail step in your release process.

BuildCloviScan gatePass → ship · Fail → fix