A comprehensive breakdown of the vulnerability classes, exposed secrets, and AI-specific anti-patterns detected by Erzo.
Detect hardcoded keys, tokens, and passwords that AI assistants frequently leave in source code or config files.
| Detection Pattern | Severity | Included In Plan |
|---|---|---|
| Supabase Service Role Key | Critical | Free |
| AWS IAM Access Keys | Critical | Free |
| Stripe Secret/Restricted Keys | Critical | Free |
| GitHub Personal Access Tokens | High | Free |
| OpenAI/Anthropic API Keys | High | Free |
| Database Connection Strings with Passwords | Critical | Free |
Catch security anti-patterns specifically generated by tools like v0, Cursor, and Copilot during rapid prototyping.
| Detection Pattern | Severity | Included In Plan |
|---|---|---|
| Missing Row Level Security (RLS) | Critical | Free |
| Bypass Authentication via Client-side Checks | High | Pro |
| Prompt Injection Susceptibility | High | Pro |
| Excessive Agentic Agency (Unbounded Tool Use) | Critical | Team |
| Insecure Direct Object Reference (IDOR) in Next.js Server Actions | High | Pro |
Identify misconfigured local or cloud infrastructure files that expose sensitive services to the public internet.
| Detection Pattern | Severity | Included In Plan |
|---|---|---|
| Exposed Ollama API Endpoints | High | Pro |
| Unauthenticated Jupyter Notebooks | Critical | Pro |
| Default Credentials in docker-compose.yml | Medium | Pro |
| Wildcard CORS policies on internal APIs | Medium | Pro |
Continuous checking against the OSV (Open Source Vulnerability) database for hallucinated or outdated packages.
| Detection Pattern | Severity | Included In Plan |
|---|---|---|
| Known CVEs in package.json | Variable | Free |
| Malicious Package Detection (Typosquatting) | High | Pro |
| Hallucinated Non-Existent Packages | Medium | Free |