Running Scans
Learn the two scan modes and pick the right one for your workflow.
Flowpatrol has two scan modes. Each trades off speed for depth.
Surface
A fast check that runs in 1-3 minutes. No authentication, no crawling — it hits your URL and looks for obvious issues.
Cost: 1 credit | Time: 1-3 min | Available on: All plans (including free)
What it checks
| Check | What it finds |
|---|---|
| JS bundle analysis | API keys, service role keys, and secrets leaked in client-side JavaScript |
| Security headers | Missing HSTS, CSP, X-Frame-Options, overly permissive CORS |
| Exposed paths | .env files, .git/config, admin panels, debug endpoints, backup files |
| Supabase RLS | Tables readable without authentication (extracts your Supabase URL and anon key automatically) |
| Framework fingerprinting + CVEs | Detects framework versions and checks for known vulnerabilities |
| Deterministic probes (SQLi, SSTI, IDOR) | Quick checks for common injection and access control issues |
| JWT security | Weak signing, missing expiration, algorithm confusion |
| Screenshot evidence | Visual proof of findings captured by a headless browser |
When to use it
- Before every deploy as a quick sanity check
- When you've just added a new API key or environment variable
- As a first pass on any app you want to evaluate
- To verify that a fix you made actually resolved the issue
Deep
A comprehensive security test that logs in as a test user, crawls your app, and tests for real vulnerabilities. Includes multi-user IDOR testing, chained attacks, and screenshot evidence.
Cost: 5 credits | Time: 15-30 min | Available on: All paid plans
What it checks
| Category | Examples |
|---|---|
| Authentication | Login bypass, weak session tokens, missing brute-force protection, OAuth misconfig |
| Access control | IDOR (accessing other users' data), privilege escalation, multi-user IDOR, missing RLS |
| Injection | SQL injection, XSS, SSRF, command injection |
| Business logic | Payment manipulation, webhook forgery, rate limit bypass, state tampering |
| Data exposure | Leaking internal fields in API responses, verbose errors, unprotected admin routes |
| Chained attacks | Multi-step exploit chains combining findings from earlier phases |
| Screenshot evidence | Visual proof of each finding captured by a headless browser |
When to use it
- Before launching to production
- After major feature changes (new auth flows, payment integration, admin panels)
- As a periodic check on running apps
- When a Surface scan finds issues and you want the full picture
Deep scans require domain verification for custom domains. Localhost URLs always work without verification.
How to start a scan
From the dashboard
- Go to Scans in the sidebar
- Click New Scan
- Enter your target URL
- Choose your scan mode — Surface or Deep
- Click Start
The results page updates automatically when the scan finishes. You can navigate away — the scan runs in the background.
From your AI editor (MCP)
If you've set up MCP integration, ask your assistant directly:
Run a Flowpatrol Surface scan on https://myapp.vercel.appRun a Deep Flowpatrol scan on https://myapp.vercel.appResults appear inline in the chat.
How scans work under the hood
- Reconnaissance — the agent discovers routes, APIs, and auth flows
- Planning — an LLM analyzes the app structure and generates targeted attack hypotheses
- Execution — each hypothesis is tested with real HTTP requests (and browser interactions when needed)
- Reporting — findings are validated, deduplicated, and ranked by severity
Limits
- One scan runs per account at a time. If you start a new scan while one is running, it queues.
- Free accounts get 3 Surface scans per month. Builder and Pro accounts get 30 and 120 credits respectively.
Next
Now that you know how to run scans, learn how to read the results.