71 categories. File path, line number, fix on every finding. Runs on your machine with your AI key.
npm install -g @snitchplugin/cli
One command. Sets itself up inside every AI tool you have.
snitch scan
Diff vs main. Each finding gets a file, a line, and a fix.
Hand the report to your AI tool
It applies the fixes. Re-run to verify clean.
Secrets
Stripe / AWS / OpenAI keys in source. JWT secrets in .env. PATs in CI logs.
Injection
SQL concat. Unescaped shell args. XSS via dangerouslySetInnerHTML. Prompt injection in agent code.
Auth
Missing CSRF. JWT alg=none. OAuth state-param missing. Predictable session IDs.
Authorization + IDOR
Missing ownership checks. Predictable IDs. Mass-assignment leaks. Role checks bypassed by parameter tampering.
Cryptography
MD5 / SHA-1 for passwords. Math.random for tokens. IV reuse. Low PBKDF2 iteration counts.
IaC + supply chain
Open S3, public RDS, IAM * on *. Stale CVEs from your lockfile cross-checked against OSV.
Locked in for life. Includes Snitch: marketing too.
What new customers will pay once the launch promo closes. Not live yet — sign up at the promo tier to lock in $29.99 for life.
Org-wide PR-gating? GitHub Action — contact for pricing. Open source maintainer? Free for accepted projects.
Do I need a Claude / OpenAI / Gemini account?
Yes. Snitch shells to your AI provider with your own key. We don't proxy inference, we don't bill for tokens.
Difference between $29.99 and $99.99?
Same product. $29.99 is the launch promo, locked in for the life of your subscription. $99.99 is what new customers pay after.
Does Snitch see my code?
No. The CLI runs locally. Your AI provider sees the prompts. Snitch's servers see "this person ran a scan" — that's it.
Does the marketing audit really come with it?
Yes. One subscription, both products. Same login, same install.
Can I cancel any time?
Yes. From your dashboard. Access stays through period end.