Back to Products
Local-only · Notarized · No telemetry

Know exactly what your app talks to.

You shipped the code. But do you know every external service it calls — every raw endpoint, every SDK, every API key that quietly ended up hardcoded in source? Sonar scans your own source on-device and builds the full inventory.

  • 14-day free trial
  • Read-only — never edits source
  • Source never leaves your Mac
sonar — scan
$ sonar scan ./MyApp
API api.supabase.coREST · 12 calls
SDK Stripecheckout
SDK Anthropicmessages
⚠ Config.swift:42STRIPE_SECRET_KEY sk_live_…
tip: 7 endpoints · 5 SDKs · 1 secret flagged
SupabaseStripeFirebaseAnthropicOpenAIReplicate+ your own rules

/// The problem

A shipped binary tells everyone your secrets.

An API key hardcoded in client source is one strings command away from extraction. And most teams can't list every service their app actually calls. Sonar answers both — without uploading a single line.

🔑

Leaked secrets

Hardcoded keys and tokens sitting in client source, extractable from any shipped build.

🗺️

No real inventory

"What does this app actually call?" shouldn't be a guess during an audit or a handoff.

☁️

Cloud scanners

Most tools want you to upload proprietary source to a third party. Hard no.

/// What Sonar does

A static scan that stays on your machine.

The only network call Sonar ever makes is a one-time license check.

Full API inventory

Every raw HTTP endpoint and third-party SDK your app uses — a concrete list, not a guess.

Secret detection

Flags possible hardcoded API keys and tokens in client source before your users find them.

Editable rule packs

Detection is driven by JSON rule packs. Ships knowing 10+ services — teach it any other.

Swift + JS / TS

Parses your iOS and web source today, with rules extensible via JSON for the rest.

Incremental rescans

Only re-process what changed — fast enough to run as part of your pre-release pass.

Read-only & private

Sonar never modifies your source. No account, no tracking, Apple-notarized .dmg.

/// How it works

Point it at a project. Get the truth.

  1. 1

    Download the notarized .dmg

    Drag Sonar to Applications. Opens cleanly — signed & notarized by NYRAI LLC.

  2. 2

    Point it at your project

    Sonar scans the source on-device — nothing is uploaded, ever.

  3. 3

    Read the inventory

    Endpoints, SDKs, and flagged secrets. Edit the JSON rules and rescan incrementally.

/// Pricing

Try it free. Then own it.

Full functionality free for 14 days. When you're ready, one license unlocks it permanently — current and future releases.

$29one-time

One license activates one Mac. Updates included. No subscription.

Mac App Store

What's included

  • On-device API + SDK inventory
  • Hardcoded-secret flagging
  • Editable JSON rule packs
  • Swift + JS / TS parsing
  • Incremental rescans
  • Current + future releases

Secure checkout by Gumroad. Instant download.

/// FAQ

Good questions.

Do you ever see my code?

Never. Sonar is 100% local. The only network call it ever makes is a single license-key verification to Gumroad — no source code or file contents are ever sent.

Is there a free trial?

Yes — 14 days, full functionality. After that, enter your license key to keep using it.

What languages does it parse?

Swift and JavaScript / TypeScript today. Detection rules are extensible via JSON, so you can teach it any service.

What are the requirements?

macOS 13 (Ventura) or later, Apple Silicon or Intel. Your key unlocks current and future releases.

Find the leaked key before your users do.

Scan your own source, on your own machine, in minutes.