Six detection modes across your entire codebase — secrets, configs, dependencies, vulnerable code patterns. Runs locally in seconds, with results you can act on immediately.
Most codebases carry live vulnerabilities for weeks before anyone notices. By then, the window for an attacker is already open.
API keys, tokens, and credentials end up in repos. Automated scanners on the other side find them within hours of a push.
TLS disabled, debug mode on, wildcard CORS — small settings that accumulate quietly until something exploits them.
New vulnerabilities are published daily. Without scanning, you're shipping with known exploits and no visibility into which ones.
Select any local path — a file, module, or entire repo. No cloud upload, no repo permissions. HZSec stays entirely on your machine.
Run a quick targeted scan or activate all six detection modes for a deep multi-layer analysis across your full codebase.
Every result shows severity, the affected file and line, context about the risk pattern, and a remediation suggestion.
One-click fixes for common patterns. A diff is shown before anything changes. Or send the finding to the AI assistant for guided help.
Six detection modes, auto-fixes, score tracking, audit history, and compliance tagging — all running locally, all in one app.
Secrets, configuration hardening, vulnerable code patterns, dependency CVEs, web exposure, and system risks. Each mode runs independently or all together.
Common findings — exposed keys, debug flags, insecure configs — can be fixed in one click. You see a diff before anything changes.
Every scan updates your security score. Track improvement over time, spot recurring issues, and see what dropped your score week-over-week.
Every scan, finding, and fix is recorded locally with a timestamp. Know exactly when an issue was introduced, detected, and resolved.
Every finding is automatically mapped to OWASP Top 10 and CIS benchmark controls, giving each result compliance context without manual work.
No network calls during scanning. No repo access needed. Your source code stays on your machine — always.
Real findings, real severity context, actionable next steps — not just a list of CVE numbers.
There are good scanning tools out there. HZSec isn't trying to replace them all — it fills the developer-workflow layer they all skip.
Excellent rule-based static analysis, OSS, highly configurable. But requires rule authoring, produces raw findings with no score tracking, and has no AI remediation or breach context.
Comprehensive code quality and security for teams. But it's a server to stand up, a CI pipeline to wire in, and built for org-level reporting — not a developer's local, pre-commit workflow.
Deep expertise, high-quality findings. But they're periodic at best, expensive, and give you a point-in-time snapshot of a codebase that changed the next day.
Most projects under 50,000 lines complete in under 30 seconds. Large monorepos may take a couple of minutes depending on how many modes are active.
Six categories: exposed secrets and credentials, insecure configuration settings, known-vulnerable code patterns, dependency CVEs via CISA/NVD, web exposure risks, and system-level hardening gaps.
Never. HZSec runs entirely on your machine. No network calls are made during a scan. Your code stays local, full stop.
For common, deterministic findings — exposed API key format, debug flag set to true, insecure HTTP config — HZSec can apply the fix directly. You see a diff before anything changes.
Yes. You can target any local path — a single file, a module, or your entire repo. The scanner respects your .gitignore by default.
No. All six scan modes are available on the free tier. Pro adds the managed AI assistant and higher message limits for guided remediation.
Download HZSec, point it at a project, and get a complete findings report — locally, privately, free.
Free tier free forever · Mac + Windows · 100% local processing