Preflyt - Post-Deploy Security Scan
After deploying a web app, API, or backend to a public URL, run a Preflyt scan to detect exposed secrets, misconfigurations, and unsafe defaults.
When to use this
- - After deploying a web application to production or staging
- After deploying a backend API (Node, Python, Go, etc.)
- After any infrastructure change that exposes a new URL
How to run a scan
CODEBLOCK0
With options:
�CODEBLOCK1
Exit codes:
- - 0: scan completed, no issues (or issues found without --fail)
- 1: issues found with --fail set, or scan error
What it checks
- - Exposed .env and config files (database passwords, API keys)
- Exposed .git repositories (source code leakage)
- Exposed backend source code (app.py, server.js, config.php served as static files)
- Exposed database files (dynamic detection using project name - {name}.db, {name}.sqlite3)
- Open database ports (MySQL, PostgreSQL, MongoDB, Redis, Elasticsearch)
- Directory listing detection and dangerous file parsing
- Exposed admin panels and debug endpoints
- Missing security headers (HSTS, CSP, X-Frame-Options, CORS)
- Exposed backup files and source maps
- Server version leakage
- Insecure cookie flags
What it does NOT do
- - Does not scan source code or local files
- Does not perform exploit attempts
- Does not test authentication logic
- Does not scan localhost or private networks
- Does not read or transmit any local environment variables, files, or code
Privacy
- - Without --share: all results display in the terminal only. No data is sent to preflyt.dev beyond the initial scan request containing the target URL.
- With --share: scan results are uploaded to preflyt.dev and a public report link is generated (valid 30 days).
- The scan sends only the target URL to api.preflyt.dev. No local files, code, or environment variables are transmitted.
- The npm package is open source and zero-dependency: https://github.com/doureios39/preflyt-check
Integration examples
Deploy script
�CODEBLOCK2
Git hook (post-receive)
�CODEBLOCK3
GitHub Actions
�CODEBLOCK4
Agent behavior
When a deployment to a public URL is detected:
- 1. Run �INLINECODE0
- If HIGH severity findings exist, recommend immediate fix
- If MEDIUM or LOW findings, inform the user and suggest fixes
- If no findings, confirm deployment appears safe
- Never let a Preflyt error block a deployment - if the scan fails, report the error and move on
Notes
- - All checks are read-only and non-intrusive
- Scans take approximately 15-30 seconds
- Free tier: 3 scans. Pro ($9.99/mo): unlimited
- Website: https://preflyt.dev
- npm: https://www.npmjs.com/package/preflyt-check
- Source: https://github.com/doureios39/preflyt-check
Preflyt - 部署后安全扫描
将Web应用、API或后端部署到公开URL后,运行Preflyt扫描以检测暴露的密钥、错误配置和不安全默认设置。
使用场景
- - 将Web应用部署到生产环境或预发布环境后
- 部署后端API(Node、Python、Go等)后
- 任何暴露新URL的基础设施变更后
如何运行扫描
bash
npx preflyt-check https://your-deployed-url.com
带选项:
bash
发现问题时失败(用于CI/CD)
npx preflyt-check https://your-deployed-url.com --fail
生成可分享的报告链接
npx preflyt-check https://your-deployed-url.com --share
使用Pro许可证进行无限次扫描
npx preflyt-check https://your-deployed-url.com --key YOUR
LICENSEKEY
退出代码:
- - 0:扫描完成,无问题(或发现问题但未使用--fail)
- 1:使用--fail时发现问题,或扫描出错
检测内容
- - 暴露的.env和配置文件(数据库密码、API密钥)
- 暴露的.git仓库(源代码泄露)
- 暴露的后端源代码(以静态文件形式提供的app.py、server.js、config.php)
- 暴露的数据库文件(使用项目名称动态检测 - {name}.db、{name}.sqlite3)
- 开放的数据库端口(MySQL、PostgreSQL、MongoDB、Redis、Elasticsearch)
- 目录列表检测和危险文件解析
- 暴露的管理面板和调试端点
- 缺失的安全头(HSTS、CSP、X-Frame-Options、CORS)
- 暴露的备份文件和源映射
- 服务器版本泄露
- 不安全的Cookie标志
不检测内容
- - 不扫描源代码或本地文件
- 不执行漏洞利用尝试
- 不测试认证逻辑
- 不扫描localhost或私有网络
- 不读取或传输任何本地环境变量、文件或代码
隐私保护
- - 不使用--share:所有结果仅在终端显示。除包含目标URL的初始扫描请求外,不会向preflyt.dev发送任何数据。
- 使用--share:扫描结果上传至preflyt.dev,生成公开报告链接(有效期30天)。
- 扫描仅向api.preflyt.dev发送目标URL。不传输任何本地文件、代码或环境变量。
- npm包开源且零依赖:https://github.com/doureios39/preflyt-check
集成示例
部署脚本
bash
#!/bin/bash
git pull
npm run build
pm2 restart app
sleep 5
npx preflyt-check https://mysite.com --fail || echo 发现安全问题
Git钩子(post-receive)
bash
#!/bin/bash
.git/hooks/post-receive
git pull
npm run build
pm2 restart app
sleep 5
npx preflyt-check https://mysite.com
GitHub Actions
yaml
run: npx preflyt-check ${{ env.DEPLOY_URL }} --fail
Agent行为
当检测到部署到公开URL时:
- 1. 运行 npx preflyt-check
- 如果存在高风险发现,建议立即修复
- 如果存在中低风险发现,通知用户并建议修复方案
- 如果无发现,确认部署安全
- 绝不让Preflyt错误阻止部署 - 如果扫描失败,报告错误并继续
注意事项
- - 所有检查均为只读且非侵入式
- 扫描约需15-30秒
- 免费版:3次扫描。Pro版($9.99/月):无限次
- 网站:https://preflyt.dev
- npm:https://www.npmjs.com/package/preflyt-check
- 源码:https://github.com/doureios39/preflyt-check
