Render

Live audit of your Render account — public PR previews, healthcheck coverage, env-group safety, custom domain verification. Catches the deploy-surface gaps a repo scan can't see.

Available on the Studio tier. Read-only API key — we never modify services, env vars, or deployments.

Why this matters

Render’s defaults favour speed. PR previews are public by default, healthchecks are optional, env groups stretch across environments. None of that shows up in a repo. The same production secret ending up in a public preview branch is a recurring failure mode for AI-built apps on Render.

Connect Render

01

Mint a Render API key.

Render Dashboard → Account Settings API KeysCreate API key. Render keys are account-level (no per-service scoping in their UI); the key has read+write across the account. We commit in code to read-only calls.

02

Paste into PulseLight.

From the project page, click the gear icon → Connected platformsRender. Paste the key. We probe Render’s API once to confirm the key works and report the service list back.

03

First scan.

The next scan includes the Render Connected Check findings alongside repo findings — rolled up into the Stable and Secure pillars.

What we verify

  • Public PR previews — CONN-RENDER-PREVIEW-001

    We flag services with PR previews enabled and no access protection set. Public previews leak in-development URLs and any production-shaped data they happen to render. The common failure: the env group attached to the service pushes prod secrets into the preview env.

  • Healthcheck path — CONN-RENDER-HEALTH-001

    Each public web service should declare a healthcheck path so Render can detect crashed deploys and route traffic away. We flag services with no healthcheck path configured.

  • Custom domain verification — CONN-RENDER-DOMAIN-001

    We check custom domains attached to your services and flag any in an unverified or pending DNS state. Unverified domains don’t serve TLS — visitors hit cert errors when DNS finally lands, and SEO crawlers see mixed-content warnings.

  • Env group spans prod + non-prod — CONN-RENDER-ENVGROUP-001

    We list env groups and the services they attach to. A group attached to both a production service and a preview or staging service propagates the same value into both environments — if a prod secret lands there, the lower-trust environment now holds it too.

Privacy + scope

Your API key is encrypted at rest with KMS envelope encryption and decrypted only at scan time. We read service config, custom domain status, and env-group attachment metadata. We never read env-var values, never trigger deploys, never modify any resource. Revoke the key in Render’s Account Settings at any time; the next scan reports the integration as revoked.