Security scan
Atlas scans your source tree for leaked secrets and insecure configuration alongside the architectural analysis — no separate step.
When it runs
The scan runs automatically during an examination whenever a source tree is on disk (any repo imported by Git URL or ZIP). Findings ride the same pipeline as the architectural issues, so they appear in the dashboard the moment processing finishes.
What it detects
| API keys | OpenAI, Anthropic, Gemini, AWS, GitHub, Stripe, Slack, SendGrid, Twilio… |
| Supabase JWTs | service_role keys that bypass Row-Level Security, and anon keys to review. |
| Private keys | PEM blocks (RSA / EC / OpenSSH), Google & Firebase service-account JSON. |
| Database URLs | Connection strings with an embedded password. |
| Exposed .env | .env files that aren't covered by .gitignore. |
In the dashboard
Security findings show up in both the Overview and Analysis tabs, grouped by severity (Critical / High / Medium / Low). Click a group chip to filter to just those. Each finding carries a redacted proof (never the raw secret), the detector id, a confidence score and a concrete remediation you can copy.
Every matched value is redacted before it's stored or displayed — Atlas shows enough to locate the secret, never enough to reuse it. Rotate any real credential the scan surfaces.