npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@aegis-scan/cli

v0.17.0

Published

AEGIS CLI — paranoid stack-specific security scanner for Next.js + Supabase. 0-1000 score, 42 built-in checkers (+20 external-tool wrappers: 16 SAST/DAST + 1 passive subdomain-recon + 3 LLM-agent pentest frameworks), AST-based cross-file taint analysis, 4

Downloads

4,545

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

ridematch1ridematch1

Keywords

securitysastscannerauditclinextjssupabasetaint-analysisowaspcwecompliancegdprsoc2iso27001pci-dsssarifgithub-code-scanning

Readme

@aegis-scan/cli

The paranoid audit tool your vibe-coded app deserves.

npm License: MIT Node 20+ SLSA v1

Stack-specific security scanner for Next.js + Supabase + React. 42 built-in checkers + 20 external-tool wrappers (16 SAST/DAST + 1 passive subdomain-recon + 3 LLM-agent pentest frameworks: Strix, PTAI, Pentest-Swarm-AI), AST-based cross-file taint analysis, 0-1000 score with FORTRESS → CRITICAL grade.

Best used alongside Semgrep / CodeQL — not instead of them.

Quickstart

# One-shot via npx (no install)
npx -y @aegis-scan/cli scan .

# Or install globally
npm install -g @aegis-scan/cli
aegis scan .

# Full audit with all scanners (DAST, infra, TLS)
aegis audit .

# Generate config + CI integration files
aegis init .

Scan modes

| Mode | Command | What it does | |------|---------|--------------| | scan | aegis scan . | Quick pass — security, deps, quality, compliance, i18n (~3s) | | audit | aegis audit . | Full audit — all scanners including DAST, infra, TLS | | siege | aegis siege . --target URL --confirm | 4-phase attack simulation against a live target | | fix | aegis fix . | AI-powered remediation (Claude, OpenAI, Ollama, or templates) | | history | aegis history . --blame | Git blame enrichment — who introduced each finding | | diff | aegis scan . --diff main | Only report findings in files changed vs a git ref | | diff-deps | aegis diff-deps --since=HEAD~1 | Dependency-change reporter; flags risky major bumps on criticalDeps |

Output formats

aegis scan . --format terminal   # default: colour-rich table
aegis scan . --format json       # machine-parseable
aegis scan . --format sarif      # SARIF 2.1.0 — drop-in for GitHub Code Scanning
aegis scan . --format markdown   # PR-comment-friendly
aegis scan . --format html       # standalone dashboard

What AEGIS finds that generic SAST tools miss

Stack-specific findings that Semgrep / CodeQL / njsscan don't have rules for:

| Vulnerability | Category | |---|---| | Missing tenant_id filter — cross-tenant data leak | Multi-Tenant | | service_role RLS bypass in API routes | Supabase | | SQLi via .rpc() template interpolation | Supabase | | Mass assignment — unvalidated request.json() to .insert() | Supabase | | No rate limiting on sensitive endpoint | Next.js API | | Missing auth guard on API route | Next.js API | | Server Component passing full DB record to client (CWE-200) | RSC | | Prompt injection — user input in LLM prompts | AI / LLM | | Missing Zod .strict() on mutation schemas | Validation | | No pagination on database query | Performance / DoS |

Scoring

| Score | Grade | Badge | |-------|-------|-------| | 950-1000 | S | FORTRESS | | 850-949 | A | HARDENED | | 700-849 | B | SOLID | | 500-699 | C | NEEDS_WORK | | 300-499 | D | AT_RISK | | 0-299 | F | CRITICAL |

A BLOCKER or CRITICAL severity finding forces score 0 / grade F regardless of other findings — so a single unauthed admin route or hardcoded secret cannot be quietly buried in a green-grade report.

CI integration — GitHub Action

Drop-in security gate for any GitHub Actions workflow. Posts a PR comment with score + severity table + top findings; fails the build when score drops below threshold.

- uses: RideMatch1/a.e.g.i.s/ci/[email protected]
  with:
    mode: scan          # 'scan' (quick) or 'audit' (full)
    fail-below: 700     # set to 0 to never fail
    comment-on-pr: true

Always pin to a tag (@v0.16.6), never @main.

Supply-chain integrity

Every published version ships with SLSA v1 provenance — the npm attestation binds the tarball to the exact GitHub Actions run, commit-SHA, and registry-identity. Verify any installation:

npm audit signatures

# Expected: https://slsa.dev/provenance/v1
npm view @aegis-scan/cli@<version> dist.attestations.provenance.predicateType

# Expected: empty or only safe CI hooks
npm view @aegis-scan/cli@<version> scripts

The publish-workflow (.github/workflows/publish.yml) triggers on signed git tags only and runs with SHA-pinned GitHub Actions. No install-time scripts are declared in any @aegis-scan/* package — npm install @aegis-scan/cli executes zero scripts from the AEGIS namespace.

Honest limitations

  • TypeScript / JavaScript only. No Python / Go / Rust / Java / C# / Ruby / PHP.
  • External-tool wrappers require the tool on PATH. Semgrep / Gitleaks / Trivy / ZAP / OSV-Scanner / … integrations auto-skip when the underlying binary is absent.
  • Stack-specific. On non-Next.js Node it covers generic classes (SQLi, SSRF, path traversal, prompt injection, crypto misuse) but skips framework-specific rules.
  • Compliance checks are pattern-based, not audit-grade. GDPR / SOC 2 / ISO 27001 / PCI-DSS engines cover dozens of common control gaps but are not a substitute for a certified auditor.

Three-layer toolkit

@aegis-scan/cli is one of three sibling packages that cover the full pre-ship security lifecycle:

Build with the wizard. Scan what you built. Test it red-team-style.

Links

  • Main repo: https://github.com/RideMatch1/a.e.g.i.s
  • CHANGELOG: https://github.com/RideMatch1/a.e.g.i.s/blob/main/CHANGELOG.md
  • Security policy: https://github.com/RideMatch1/a.e.g.i.s/blob/main/SECURITY.md
  • Getting Started guide: https://github.com/RideMatch1/a.e.g.i.s/blob/main/docs/GETTING-STARTED.md

License

MIT