COPPA 2.0 enforcement begins April 22, 2026 — 51 days

Is your codebase
safe for kids?

Find out in 60 seconds. Halo scans every file in your project for COPPA 2.0 violations — 37 rules, AST parsing, zero false positives. Free, forever.

$ npx runhalo scan .

Works with any Node.js project · No signup · No API key · Takes 10-30 seconds

We scanned the biggest names in edtech.

Real results from our scan campaign — 48 open-source repos used by millions of children. These are what Halo found.

Canvas LMS

The #1 LMS in US K-12 schools

F
0/100
194 violations
33 critical 3 high 157 medium 1 low
XSS/innerHTML vulnerabilities in student-facing views
Unencrypted PII transmission (HTTP URLs)
Teacher accounts bypass school verification

Habitica

Gamified habit tracker · 13k GitHub stars

F
0/100
689 violations
1 high 682 medium 6 low
645 XSS/innerHTML instances from Vue.js v-html usage
26 external SDKs without child-directed flags
Push notifications sent without parental consent

Moodle

Open-source LMS · 6k GitHub stars

F
0/100
201 violations
84 critical 5 high 107 medium 5 low
46 biometric data collection patterns
38 unencrypted PII transmissions (HTTP)
34 push notifications without consent

freeCodeCamp

Youth coding platform · 405k GitHub stars

F
25/100
29 violations
2 critical 2 high 20 medium 5 low
Unencrypted PII in API endpoints
External SDKs without child-directed flags
Cookie/storage access without consent mechanism

Scanned March 2026 using Halo CLI v1.0.0 · All 37 rules · Full AST parsing · View source & methodology

What Halo Scans For

Four framework packs covering every major children's digital safety regulation.

COPPA 2.0

20 rules. Data collection, PII, consent, biometrics, tracking, cookies, XSS, HTTP, push notifications.

Included free

Ethical Design

Dark patterns, manipulative UX, infinite scroll, autoplay, loot boxes, engagement traps.

Pro · --ethical-preview

AI Audit

Catch AI coding assistant mistakes — hallucinated APIs, insecure patterns, missing consent flows.

Pro · --ai-audit

AU Safety by Design

eSafety Commissioner framework. Reporting tools, content moderation, harm reduction.

Pro · --sector-au-sbd

How It Works

1

Run the scan

One command. Scans every file with AST parsing and regex. Takes 10-30 seconds.

2

Get your score

Score from 0-100, severity breakdown, and every violation with file/line/fix suggestion.

3

Track & share

Sign up free to track scores over time, share scorecards, and get README badges.

Already scanned?

Track your compliance score over time. Share scorecards with your team. Get a README badge that proves you care about kids' safety.

Sign Up Free Go to Dashboard
37 compliance rules
Open source (Apache 2.0)
AST + regex scanning
10+ languages supported
48 repos scanned