Full stack scan
Drop a monorepo .zip — Terraform, K8s manifests, GitHub Actions, NGINX, IAM policies, and MCP configs scanned in one pass.
One scan.
Every layer of your stack.
Upload a project archive and misconfigs scans AI/MCP configs, IaC, CI/CD pipeline configs, network rules, and identity policies together — then maps attack paths across layers, flags intent vs. reality gaps, and surfaces Opposite Day contradictions where configs in the same repo fight each other.
5
Security domains
Attack paths
Cross-domain kill chains
Intent gaps
Names vs. reality
Contradictions
Opposite Day
What makes this different
Attack paths
Step-by-step kill chains across CI/CD, IaC, network, identity, and AI — if X is exploited, what happens next?
Intent vs. reality
Flags configs named “internal-only” or tagged read-only that still allow 0.0.0.0/0, wildcard IAM, or shell tools — semantic dishonesty linters miss.
Opposite Day contradictions
Finds two configs in the same repo that fight each other — PodSecurity denies privileged while a Deployment requests it, signed-commit policy vs pull_request_target.
Executive summary
Founder- and CISO-ready PDF with overall score, product scorecard, and prioritized cross-domain risk chains.
Run full stack scan
Upload a .zip of your entire project — max 10 MB
Try one free demo below (no account), or sign in to scan your repo and save results.
Try demo
See it in action
Click a demo — we download the zip for you, then run the scan automatically. Keep this tab open; results appear below (usually 1–2 minutes).
One free demo per day — no account. Sign in free for more demos and your own uploads.
Automated scans only — not a penetration test, compliance audit, or professional security advice. Results may contain false positives or miss issues. You are responsible for validating findings before acting. Terms · Privacy
The optional scan assistant and Explain actions use Google Gemini (a third-party AI). Responses are generated automatically and may be inaccurate or incomplete — not security, legal, or professional advice. Chat sends finding details, scan summaries, and your messages to Google for processing. Do not include secrets you cannot afford to disclose. Official Terms (AI section) and Privacy Policy (AI section) are the source of truth, not assistant replies.
Multi-repository scan
Scan several repositories in one portfolio view. Sign in on Pro or Team to use multi-repo scanning.
Automated scans only — not a penetration test, compliance audit, or professional security advice. Results may contain false positives or miss issues. You are responsible for validating findings before acting. Terms · Privacy
The optional scan assistant and Explain actions use Google Gemini (a third-party AI). Responses are generated automatically and may be inaccurate or incomplete — not security, legal, or professional advice. Chat sends finding details, scan summaries, and your messages to Google for processing. Do not include secrets you cannot afford to disclose. Official Terms (AI section) and Privacy Policy (AI section) are the source of truth, not assistant replies.
API quickstart
Scan via REST with your API key — same engines as the upload form.
Example request
curl -X POST "http://api.misconfigs.com/api/v1/fullstack?format=json&fail_on_regression=critical,high" \ -H "X-API-Key: mc_your_key" \ -F "file=@my-project.zip"