SDKWatch/Docs
DashboardSign In

SDK Scanner

Understand what SDKWatch detects, how the compliance score is calculated, and how to interpret your results.

On this page

#How scanning works

When you trigger a scan, SDKWatch launches a headless Chromium browser and loads your URL in a clean, cookie-free profile. It intercepts all network requests, inspects script sources, and fingerprints loaded libraries against a continuously updated SDK database.

The scan navigates your homepage and up to 5 sub-pages (if available) to catch SDKs that are only loaded on certain pages. JavaScript execution is enabled to detect dynamically injected scripts.

Scan pipeline

  1. 1Launch headless browser with clean profile
  2. 2Load target URL and wait for network idle
  3. 3Intercept all outbound requests (scripts, pixels, beacons)
  4. 4Fingerprint script content against SDK database (4,000+ signatures)
  5. 5Detect inline scripts and eval'd code patterns
  6. 6Navigate linked pages (up to 5 pages)
  7. 7Aggregate detections, deduplicate, categorize
  8. 8Calculate compliance score
  9. 9Generate recommendations

#What gets detected

SDKWatch detects SDKs across all major categories:

Analytics
  • Google Analytics 4
  • Mixpanel
  • Amplitude
  • Heap
  • Plausible
  • Fathom
Advertising
  • Meta Pixel
  • Google Ads (gtag)
  • TikTok Pixel
  • LinkedIn Insight
  • Criteo
A/B Testing
  • Optimizely
  • Google Optimize
  • VWO
  • AB Tasty
  • Statsig
Support & Chat
  • Intercom
  • Zendesk
  • Freshdesk
  • Crisp
  • Tawk.to
  • HubSpot Chat
Payments
  • Stripe.js
  • PayPal SDK
  • Braintree
  • Square
  • Paddle
Performance
  • Sentry
  • Datadog RUM
  • New Relic
  • LogRocket
  • FullStory

#Score methodology

The compliance score (0–100) reflects how ready your site is for GDPR/ePrivacy compliance. A higher score means fewer compliance risks.

Score components

Functional only
90
+ Analytics
65
+ Advertising
40
No consent gate
20

Example: Site with analytics and advertising SDKs, no consent banner = score ~25

ScoreStatusMeaning
90–100✅ ExcellentAll SDKs consent-gated, minimal risk
70–89🟡 GoodMinor issues, some SDKs without gates
40–69🟠 FairSeveral high-risk SDKs without consent
0–39🔴 PoorHigh-risk SDKs loading before consent

#Scheduling scans

Scans can be triggered manually from the dashboard or via the API. Pro plans support scheduled scans:

Free

Manual only

10/month

Starter

Weekly

50/month

Pro

Daily

500/month

Scheduled scans run at 2:00 AM UTC. You'll receive an email notification if your score drops more than 10 points between scans.

#Interpreting results

Each detected SDK in your results includes:

nameSDK display name (e.g. Google Analytics 4)
categoryConsent category: analytics, advertising, functional, etc.
riskLevellow | medium | high — based on data collected and transfer to third parties
gdprRelevantWhether this SDK is subject to GDPR/ePrivacy consent requirements
detectedAtThe URL(s) where the SDK was detected
loadsBeforeWhether the SDK loads before any consent signal (critical finding)

⚠ Critical finding: loads before consent

If an SDK with gdprRelevant: true is detected loading before any consent gate, this is flagged as critical. Under GDPR, consent must be obtained before any personal data is processed — even technically.

Fix: use the data-sdkwatch-category attribute to defer loading until the user consents. See Banner → Categories.

Edit this page on GitHub
API ReferenceMobile SDK