// code scanner

Your code stays here.
The vulnerabilities don't.

45 built-in rules. 4 categories. Scans algorithms for hardcoded credentials, broker API keys, and trading logic vulnerabilities.

// scan your code

paste your code

Drag & drop files here or browse

.py .js .ts .env .yaml .yml .json .toml .cfg .ini .sh .go .rs .rb

● Your code never leaves this page. All scanning runs locally in your browser.

// all 45 rules

Four categories covering credentials, broker-specific keys, trading logic patterns, and AI agent egress.

General Credentials · 12 rules

▸

Critical AWS Access Key ID Detects AWS access key IDs starting with AKIA followed by 16 alphanumeric characters.

Critical AWS Secret Access Key Detects AWS secret access keys assigned to variables or config entries.

High GitHub Token Detects GitHub personal access tokens or service tokens (ghp_, ghs_ prefix).

Critical Private Key Detects PEM-encoded private key headers (RSA, EC, DSA, OPENSSH, PGP).

High JWT Token Detects JSON Web Tokens with the eyJ header prefix and three dot-separated segments.

Critical Database URL Detects database connection strings with embedded credentials (MySQL, Postgres, MongoDB, Redis, AMQP).

Medium Generic API Key Detects generic api_key or apikey variable assignments with 20+ character values.

Medium Generic Password Detects hardcoded password assignments in variables or config files.

Critical GCP Service Account Key Detects Google Cloud Platform service account key files by their type field.

Critical Azure Client Secret Detects Azure client secret or Azure secret variable assignments.

High Slack Token Detects Slack bot, user, or workspace tokens (xoxb-, xoxp-, xoxo-, xoxr-, xoxs- prefixes).

High Telegram Bot Token Detects Telegram bot API tokens with numeric bot ID and alphanumeric secret.

Broker & Exchange Keys · 13 rules

▸

Critical Alpaca API Key (Header) Detects APCA-API-KEY-ID header values with 16+ character keys.

Critical Alpaca Secret Key (Header) Detects APCA-API-SECRET-KEY header values with 36+ character secrets.

Critical Alpaca API Key (Variable) Detects Alpaca API key assignments in Python/JS variables.

Critical Alpaca Secret (Variable) Detects Alpaca secret key assignments in Python/JS variables.

Critical Binance API Key Detects Binance API key or secret assignments with 64-character values.

Critical Coinbase API Key Detects Coinbase API key or secret variable assignments.

Critical Coinbase Pro/Advanced Detects Coinbase Pro access passphrase assignments.

Critical Interactive Brokers Gateway Detects IB Gateway or TWS password assignments.

Critical Kraken API Key Detects Kraken API key or secret assignments with 40+ character values.

Critical TD Ameritrade/Schwab Key Detects TD Ameritrade, Schwab, or TDA API key and client ID assignments.

Critical Tradier API Token Detects Tradier API token, key, or secret assignments.

High Polygon.io API Key Detects Polygon.io API key or token variable assignments.

High Webhook URL Detects Discord or Slack webhook URLs that could be used to exfiltrate data.

Trading Logic · 12 rules

▸

High Hardcoded Live Trading URL Detects hardcoded Alpaca live trading API endpoint URLs.

High Hardcoded Binance Live Endpoint Detects hardcoded Binance live API endpoint URLs.

High No Position Size Limit Detects direct full-account sizing without an explicit cap or risk budget.

Medium Market Order Without Limit Flags market-order usage for review, especially outside obvious close or flatten flows.

Low No Error Handling on Order Flags direct order-submission calls for review when error handling is not obvious.

Low Infinite Loop Risk Flags unconditional while True loops for review when shutdown logic is not obvious.

Low Sleep Without Kill Switch Flags hardcoded numeric sleeps that often appear in polling loops without a shutdown path.

Low Hardcoded Ticker Symbol Flags hardcoded ticker assignments while ignoring aggregate placeholders such as ALL.

High Extended Hours Without Limit Order Extended hours trading requires limit orders with time_in_force=day. Market orders are rejected in extended sessions.

High Leverage Without Cap Leverage or margin multiplier set without an explicit cap or config reference.

Medium Hardcoded Notional Amount Large hardcoded dollar amount in order. Use calculated position sizing with risk budgets instead.

Low Hardcoded Crypto Pair Hardcoded crypto trading pair. Make configurable for reusability across markets.

AI Agent Egress · 8 rules

▸

Critical SSH Private Key in Payload Detects full SSH private key content in outbound payloads.

High .env File Content Detects environment variable assignments typical of .env files in outbound payloads.

Critical Credit Card Number Detects Visa, Mastercard, Amex, and Discover card number patterns.

Critical US SSN Pattern Detects US Social Security Number patterns in outbound data.

High Code & Schema Exfiltration (SQL) Detects SQL schema or bulk data queries in outbound payloads.

High Code & Schema Exfiltration (Source) Detects multi-line source code blocks in outbound payloads.

Medium System Path Leakage (Unix) Detects sensitive Unix system paths and dotfile references in outbound data.

Medium System Path Leakage (Windows) Detects sensitive Windows system paths in outbound data.

// get_started

Install from PyPI. Run locally. No account required.

Install

$ pip install quanttape

PyPI

Scan your strategy

Point it at any Python file or directory. QuantTape checks for hardcoded credentials, missing risk controls, and unsafe execution patterns.

$ quanttape scan ./my_bot.py

Review findings

Get a categorized report: CREDENTIALS, RISK, and EXECUTION. Each finding includes severity, line number, and what to fix.

Fix and ship

Resolve findings, re-scan to verify, and deploy clean code. Your code never leaves your machine.

100% Local

CLI Reference

# Install from PyPI

$ pip install quanttape

Successfully installed quanttape

# Scan a single file

$ quanttape scan my_bot.py

# Scan a directory with JSON output

$ quanttape scan ./my_project/ --output json

# Scan with custom rules config

$ quanttape scan my_bot.py --config rules.yaml

# Scan git history for leaked secrets

$ quanttape scan ./my_project/ --git-history

# Trading-aware scanning is on by default

# Use generic mode to disable AST-aware suppression

$ quanttape scan my_bot.py --generic-mode

Output formats:

Console JSON SARIF

Python SDK

Import QuantTape directly in your Python code for programmatic scanning.

# Basic usage

from quanttape import SecretScanner

scanner = SecretScanner()

findings = scanner.scan_file("my_bot.py")

# Scan a directory

findings = scanner.scan_directory("./trading_bots/")

# Iterate findings

for f in findings:

print(f"{f.severity} | {f.secret_type} | {f.file}:{f.line}")

# Output as JSON or SARIF

from quanttape.output import format_results

json_str = format_results(findings, "json")

sarif_str = format_results(findings, "sarif")

Each finding includes: file, line, secret_type, severity, match_preview

Scan your code before it costs you.

The Scanner catches secrets in your codebase. Guard blocks them from leaving at runtime. Both live on PyPI.

Get Early Access

info@quanttape.com

Your code stays here.The vulnerabilities don't.