Skip to content

Security Scanners — Free Infrastructure Security Tools

Browser-based security scanners for infrastructure, containers, CI/CD pipelines, and IaC. Paste a config file and get an A–F grade with specific fixes. No signup, no install.

Infrastructure & IaC

🔒

Terraform Security Scanner

Checks hardcoded AWS credentials, open SSH/database ports, public S3 buckets, unencrypted RDS/EBS, no deletion protection. 9 checks.

→ Paste your .tf file


🛡️

HTTP Security Headers Analyzer

Checks HSTS, CSP, X-Frame-Options, Permissions-Policy, and 7 more missing security headers. Returns a Nginx snippet to fix them.

→ Enter any URL

Containers & Kubernetes

☸️

Kubernetes YAML Security Linter

12 misconfigurations: runAsRoot, privileged containers, missing resource limits, allowPrivilegeEscalation, hardcoded secrets, no seccomp.

→ Paste K8s YAML (Deployment/Pod/DaemonSet)


🐳

Docker Compose Security Checker

Docker socket mounts, privileged containers, network_mode:host, mutable image tags, DB ports on 0.0.0.0, hardcoded secrets.

→ Paste docker-compose.yml


📦

Dockerfile Security Linter

Root user, no HEALTHCHECK, mutable base image tags, hardcoded secrets in ENV/ARG, no non-root USER instruction.

→ Paste Dockerfile


📋

K8s Deprecation Checker

99 rules covering K8s 1.16–1.33. Paste manifests, find deprecated APIs before they break your cluster upgrade.

→ Paste YAML manifests

CI/CD & Supply Chain

🔐

GitHub Actions Security Checker

Supply chain attack vectors (pull_request_target + checkout), missing permissions blocks, hardcoded secrets, secrets in run steps.

→ Paste .github/workflows/*.yml


⚙️

GitHub Actions Version Auditor

Find outdated action versions, mutable tag pinning (uses: actions/checkout@v3), and unverified publishers in your workflows.

→ Paste .github/workflows/*.yml

Dependency Security

Find deprecated, abandoned, and vulnerable dependencies in your lockfiles before they make it to production.

🛡️

Vulnerability Scanner

Full CVE report from OSV.dev. Supports package-lock.json and requirements.txt.


📦

npm Package Health

Deprecated, abandoned, single-maintainer risk in package.json.


🐍

PyPI Package Health

Yanked packages, abandoned (5y+), version gaps in requirements.txt.

Also see

  • All 65 free tools — cron builder, PromQL builder, nginx config gen, CIDR calculator, EOL timeline
  • Health badges — embed A–F security grades in your README
  • Developer reference guides — K8s, Docker, GitHub Actions, Terraform, and 190+ more
  • .env Security Scanner — detect exposed API keys, passwords, tokens, and high-entropy secrets in your .env files. All client-side.

Founded

2023 in London, UK

Contact

hello@releaserun.com

Powered by ReleaseRun — Free developer tools for release lifecycle management