Security
Vulnerabilities, exposed secrets, misconfigs, access risks. Missing RLS on Supabase, public S3 buckets, unrotated tokens.
Reliability
Error rates, exceptions, downtime patterns. Unhandled promise rejections, unresolved Sentry alerts, spikes correlated to deploys.
Observability
Monitoring coverage, alert quality, signal hygiene. The boring discipline that wins on-call.
Dependencies
Outdated packages, vulnerable deps, lockfile inconsistencies. Breaks deploys six months from now if ignored.
Performance
Latency, bottlenecks, resource efficiency. Slow queries, edge-vs-origin mismatches, cold-start trends.
Posture
Branch protection, code review enforcement, IAM hygiene. The signal that holds everything else up.
Sample findings
What Bao actually surfaces.
Plain English, ranked by criticality, cited to the raw signal. Operational context, not just a label.
| Critical | Missing RLS policies on three Supabase tables — user-scoped data exposed across tenants. |
|---|---|
| High | Unhandled promise rejections in checkout flow — rate increased 4× this week post-deploy. |
| High | Outdated dependencies — six packages with known CVEs in the main app's lockfile. |
| Medium | Sentry alerts unresolved — 23 open issues older than 30 days, three flagged critical. |
| Medium | Large AWS S3 buckets public — two buckets with anonymous read on objects. |
See the six signals against your own stack.
Sign in with GitHub, connect one repo. First scoring run same day.