Know exactly what your app talks to.
You shipped the code. But do you know every external service it calls — every raw endpoint, every SDK, every API key that quietly ended up hardcoded in source? Sonar scans your own source on-device and builds the full inventory.
- 14-day free trial
- Read-only — never edits source
- Source never leaves your Mac
/// The problem
A shipped binary tells everyone your secrets.
An API key hardcoded in client source is one strings command away from extraction. And most teams can't list every service their app actually calls. Sonar answers both — without uploading a single line.
Leaked secrets
Hardcoded keys and tokens sitting in client source, extractable from any shipped build.
No real inventory
"What does this app actually call?" shouldn't be a guess during an audit or a handoff.
Cloud scanners
Most tools want you to upload proprietary source to a third party. Hard no.
/// What Sonar does
A static scan that stays on your machine.
The only network call Sonar ever makes is a one-time license check.
Full API inventory
Every raw HTTP endpoint and third-party SDK your app uses — a concrete list, not a guess.
Secret detection
Flags possible hardcoded API keys and tokens in client source before your users find them.
Editable rule packs
Detection is driven by JSON rule packs. Ships knowing 10+ services — teach it any other.
Swift + JS / TS
Parses your iOS and web source today, with rules extensible via JSON for the rest.
Incremental rescans
Only re-process what changed — fast enough to run as part of your pre-release pass.
Read-only & private
Sonar never modifies your source. No account, no tracking, Apple-notarized .dmg.
/// How it works
Point it at a project. Get the truth.
- 1
Download the notarized .dmg
Drag Sonar to Applications. Opens cleanly — signed & notarized by NYRAI LLC.
- 2
Point it at your project
Sonar scans the source on-device — nothing is uploaded, ever.
- 3
Read the inventory
Endpoints, SDKs, and flagged secrets. Edit the JSON rules and rescan incrementally.
/// Pricing
Try it free. Then own it.
Full functionality free for 14 days. When you're ready, one license unlocks it permanently — current and future releases.
What's included
- On-device API + SDK inventory
- Hardcoded-secret flagging
- Editable JSON rule packs
- Swift + JS / TS parsing
- Incremental rescans
- Current + future releases
Secure checkout by Gumroad. Instant download.
/// FAQ
Good questions.
Do you ever see my code?
Never. Sonar is 100% local. The only network call it ever makes is a single license-key verification to Gumroad — no source code or file contents are ever sent.
Is there a free trial?
Yes — 14 days, full functionality. After that, enter your license key to keep using it.
What languages does it parse?
Swift and JavaScript / TypeScript today. Detection rules are extensible via JSON, so you can teach it any service.
What are the requirements?
macOS 13 (Ventura) or later, Apple Silicon or Intel. Your key unlocks current and future releases.
Find the leaked key before your users do.
Scan your own source, on your own machine, in minutes.