AI agents lie about security. Ciphra catches the API keys they left in your code, then proves they're live.
Detect leaked secrets. Fix what's broken. Watch deployments live.
Scan your code and built bundles for API keys. Every detection is validated against the live service — no theoretical warnings.
ciphra harden applies reversible, stack-aware patches. Beta for Next.js + Supabase at launch.
Continuous monitoring of deployed sites. Coming after launch.
Install
npm install -g ciphra
ciphra scan .uvx ciphra-mcp# ~/.cursor/mcp.json (and ~/.claude.json)
{
"mcpServers": {
"ciphra": {
"command": "uvx",
"args": ["ciphra-mcp"]
}
}
}How it works
- 1.Install the CLI (and optionally the MCP server). It runs entirely on your machine.
- 2.Run
ciphra scanin any project. Findings appear in your terminal in seconds. - 3.Sign up for the dashboard to track findings across projects and teams. Optional.
Pricing
Free during beta. Team and Compliance tiers coming after launch.
FAQ
Does Ciphra send my source code anywhere?
No. The CLI runs on your machine. Only findings (already-redacted secrets and metadata) are sent to the dashboard, and only if you set CIPHRA_API_KEY. The full secret values never leave your machine.
How is this different from TruffleHog or GitLeaks?
TruffleHog and GitLeaks pattern-match in source code. Ciphra validates findings against the live service (a regex match tells you a string looks like a Stripe key; a 200 response from Stripe tells you the key works), scans built bundles where keys actually ship to production, and exposes itself as an MCP server so AI agents can check their own work.
What does it cost?
Free during beta. After launch, Solo stays free; Team and Compliance tiers will be announced 30 days post-launch with pricing.