Every Capability, and the Benefit Behind It
CloviScan goes from your public surface down to your source code and the JSON your app actually ships to the browser. Here is each capability, a quick visual of how it works, and what it does for you.
Website Audit
Your public-facing posture as an attacker sees it: SSL/TLS grade, security headers (CSP, HSTS, X-Frame-Options), DNS records (SPF/DKIM/DMARC), and exposed files like .env or .git/config.
Benefit: close the gaps the internet can already see.
Code / GitHub Scan
Connect a repository or upload source and CloviScan reads the actual code — hardcoded secrets, SQL-injection patterns, unsafe innerHTML/eval, missing CSRF protection, and dependencies with known CVEs via lockfile analysis.
Benefit: catch the dangerous pattern before it ships.
Server Security
The configuration under your app: SSH root-login and auth mode, open ports exposing databases or admin panels, EOL software versions, and intrusion-protection status (Fail2ban, ModSecurity).
Benefit: a hardened server, not just hardened code.
AI Autofix — researched remediation
Every finding ships with a plain-English explanation and a copy-paste fix. The AI does researched remediation: it grounds each fix in a retrieval-augmented (RAG) knowledge base of known issues and patterns, so the guidance fits the specific finding — not a generic boilerplate.
Benefit: resolve issues today, not next sprint.
The leak isn't in your HTML — it's in the JSON you ship
Header scanners read your raw HTML and stop. But modern apps render in the browser and fetch data over the network. The real leak — an internal ID, an email, a token, a debug field — is usually in the JSON or XHR response, not the page source. CloviScan crawls the rendered page and inspects the network responses your app actually delivers.
- Detects sensitive fields exposed in API/JSON responses that never appear in HTML source.
- Catches data over-fetching — endpoints returning more than the UI needs.
- Flags tokens, internal IDs, and PII shipped to the client.
Monitoring
Schedule re-scans and get notified when your security posture changes — a certificate nearing expiry, a header that disappeared, or a newly exposed file. Track your score over time instead of checking once and forgetting.
Pre-launch QC gate
Run CloviScan as a gate before you ship. Block a launch on critical findings, then re-scan to confirm they're resolved. It turns "we'll check security later" into a pass/fail step in your release process.