Ship fast. Ship secure.

AI-powered code security that triages the noise and catches the vulnerabilities that matter, so your team ships secure code at AI speed.

Try now — free Learn more

9 TO TRIAGE

Weak Credential Encryption Using ...

34 minutes ago

macOS BLOCKED_PREFIXES Bypa...

34 minutes ago

Arbitrary File Read via Unauthentic...

34 minutes ago

Dev-Browser Server Exposed to L...

34 minutes ago

Shell Command Injection via User ...

34 minutes ago

Skill Content Injection via Unsaniti...

33 minutes ago

Server-Side Request Forgery (SSR...

33 minutes ago

Unauthenticated HTTP Servers Ac...

33 minutes ago

API Keys Written to Plaintext Files ...

34 minutes ago

Dev-Browser Server Exposed to LAN via 0.0.0.0 Binding

Critical

The dev-browser Express server (port 9224) is bound to 0.0.0.0 instead of 127.0.0.1, making the Playwright browser control endpoint and Chrome DevTools Protocol accessible to any device on the local network.

The server handles browser operations without authentication. An attacker on the LAN can inject JavaScript into browser tabs, steal session cookies, steal credentials from forms, perform phishing attacks, or hijack user interactions.

Data flow: Network attacker → port 9224 → Playwright API → browser control → tab manipulation.

Impact: Session hijacking, credential theft, phishing attacks, and full control over the user's browser tabs running inside the application.

Affected Files

apps/desktop/src/main/index.ts

› Reporter Context

Enclave UI — security findings dashboard

AI changed how we write code.

Engineers ship in hours what used to take weeks. But the code isn't always what it seems.

payment_service.py

main Generating...

Ln 1, Col 1PythonUTF-8

How Enclave works

Model-neutral — automatically uses the best AI model for every task, so you always get the strongest results.

01 Workspace Wiki

Understands your code deeply enough to know what's noise

Enclave traces data flows across files, services, and trust boundaries — not to find more things, but to know which findings are real and which are waste. It builds a living map of your codebase so every finding comes with the context you need to act on it.

Cross-file taint analysis that follows data through your entire stack
Maps trust boundaries, services, and sensitive data flows
Gives every finding the context to tell real risks from noise

services/payment.ts

14async function processPayment(req, res) {

15 const { amount, userId } = req.body;

16 const balance = await getBalance(userId);

17 if (balance >= amount) {

18 await deductBalance(userId, amount);

19 await createTransaction(userId, amount);

20 }

21}

Race condition in payment flowLines 16–18 check and deduct balance without a lock. Concurrent requests can double-spend by reading stale balance. Use a database transaction with SELECT ... FOR UPDATE.

02 Deep Research

Helps you find the vulnerabilities that would break the headline

With the noise cleared, Enclave gives your team something no scanner can: deep, contextual understanding of your codebase's security posture. It traces data flows across your architecture — mapping files, services, and trust boundaries — so you have the full picture when investigating what's real.

Multi-hop analysis across services and repositories
Maps the full attack surface for every real finding
Shows its reasoning so you understand why it matters

Detected missing authorization check on admin endpoint

admin/settings.ts:23

Found user-controlled account ID in request parameters

The accountId parameter is taken directly from the URL path without verifying ownership

api/accounts.ts:47middleware/auth.ts:12

Confirmed: any authenticated user can access any account's admin settings

Insecure direct object reference allows full account takeover via predictable ID enumeration

admin/settings.tsapi/accounts.tsmiddleware/auth.ts

Checked 4 similar endpoints — same pattern found

admin/billing.ts:31admin/users.ts:56

03 PR Reviews

Reviews every pull request like your best researcher

Enclave tracks every PR across your repos and lets you deep-research any change — surfacing real security issues, not burying you in style nits and low-risk warnings.

Tracks PRs across all your repositories in one place
Deep-research any diff for security implications
Investigate vulnerabilities with full codebase context

feat: add user export endpoint#347

src/controllers/userController.ts

24 async exportUsers(req, res) {

25 const users = await db.users.findAll();

26− return res.json(users);

26+ return res.json(users.map(UserDTO.safe));

EnclaveHIGH

Line 26 returns raw rows — exposes password_hash, reset_token. Map through a DTO.

27 }

src/routes/api.ts

41 router.get("/export/users",

42+ rateLimit({ window: "15m", max: 5 }),

43 userController.exportUsers

44 );

EnclaveMEDIUM

No rate limiting on export endpoint. An attacker could scrape entire user table.

Pricing

Usage-based pricing. Pay for what you use.

Open Source

$0/month

Free forever for public repositories.

Public repositories only
Unlimited credits
Community support

Try now — free

Starter

$0/month

Free for individual developers.

Unlimited repositories
2,500 credits/month
Community support

Try now — free

Pro

$29/month

For developers who need full coverage.

Unlimited repositories
10,000 credits/month
Top up as you go
Priority support
Community support

Try now — free

Ship fast. Ship secure.

Let Enclave release the security bottleneck so your team can ship with confidence.

Try now — free Talk to us

Backed by 8VC and industry-defining founders

Marc Benioff, SalesforcePatrick Collison, StripeAaron Levie, BoxDiane Greene, VMWareSuhail Doshi, MixpanelJeremy Stoppelman, YelpMark Pincus, ZyngaMarc Benioff, SalesforcePatrick Collison, StripeAaron Levie, BoxDiane Greene, VMWareSuhail Doshi, MixpanelJeremy Stoppelman, YelpMark Pincus, Zynga