Code Privacy Scanner — PII-in-Code & Log-Leak Detection (Browser + CI, SARIF Export)
The cheapest place to fix a privacy problem is in the pull request. By the time PII is flowing through production logs, it's an incident with a notification clock. This scanner catches it while it's still a code review comment.
👉 Try the live demo — scan a sample file, watch PII-in-logs and log-leaks flag by severity, then flip on strict mode and see the CI merge-gate react. Runs in your browser; nothing to install.
Privacy findings, not another secrets scanner. Secrets detection is table stakes (and included) — the point is what security tools don't look for: PII flowing into logging calls, real-looking identifiers hardcoded in fixtures and seed data (with Luhn validation on card numbers), sensitive field names in schemas and models, identity data riding in URL query strings, and direct identifiers passed to analytics and telemetry calls. Every finding carries a data-category tag and a one-line remediation written the way a practitioner would write the review comment.
One engine, runs anywhere your code lives:
- Browser — open one file, drop a repo folder on it, read findings. Your code never leaves the machine: no upload, no account, no telemetry. The scan a privacy officer can run without a DevOps ticket.
- CI, zero dependencies — a single Node script (no npm install) that runs identically in GitHub Actions, Azure Pipelines, AWS CodeBuild, GitLab CI, Jenkins, or a laptop — including air-gapped. Severity-based exit codes gate merges; copy-paste pipeline snippets for all four major platforms are included.
- SARIF export — findings appear natively in GitHub's code-scanning tab and Azure DevOps with no integration work. JSON and CSV too.
Tuned for adoption, switchable for audits. Precise mode (default) keeps CI gates quiet: placeholder emails and non-Luhn digit runs are suppressed, and findings in test/fixture paths downgrade one severity notch — reported, annotated, not blocking. Strict mode reports everything and adds phone and IP rules. A documented JSON rulepack ships alongside.
Feeds your inventory: data-category tags on findings are discovery input for the Data Inventory & Mapping Builder — if the code logs it, a system processes it, and it belongs on your map.
Honesty clause: this is heuristic static analysis. It will flag a fixture that's fine and miss a leak routed through three helper functions. It finds the cheap 80% so your judgment goes where it's needed — it complements security tooling, and it is not a compliance guarantee.
License: one organization, unlimited users, perpetual. Internal customization permitted — the engine is plain, readable JavaScript.
Tooling for privacy operations, not legal advice.