npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@apiposture/cli

v1.0.1

Published

Static source-code analysis CLI for Node.js API frameworks to identify authorization misconfigurations and security risks

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

blago.culjakblago.culjak

Keywords

securityapiauthorizationexpressnestjsfastifykoaclistatic-analysis

Readme

ApiPosture CLI for Node.js

Static source-code analysis CLI for Node.js API frameworks to identify authorization misconfigurations and security risks.

Features

  • Multi-Framework Support: Express.js, NestJS, Fastify, and Koa
  • 8 Security Rules: Covering exposure, consistency, privilege, and surface area risks
  • Multiple Output Formats: Terminal, JSON, and Markdown
  • Configurable: Rule customization and suppression support
  • CI/CD Ready: Exit codes for pipeline integration

Installation

npm install -g @apiposture/cli

Or use with npx:

npx @apiposture/cli scan .

Quick Start

# Scan current directory
apiposture scan

# Scan specific path
apiposture scan ./src

# Output as JSON
apiposture scan -o json

# Fail CI if critical findings
apiposture scan --fail-on critical

Security Rules

| Rule | Name | Severity | Description | |------|------|----------|-------------| | AP001 | Public without explicit intent | High | Endpoint is public without @Public or allowAnonymous marker | | AP002 | AllowAnonymous on write | High | Write operation explicitly marked as public | | AP003 | Controller/action conflict | Medium | Method @Public overrides class-level guards (NestJS) | | AP004 | Missing auth on writes | Critical | Unprotected write endpoint | | AP005 | Excessive role access | Low | Endpoint allows >3 roles | | AP006 | Weak role naming | Low | Generic role names like "admin", "user" | | AP007 | Sensitive route keywords | Medium | Public route contains admin/debug/internal | | AP008 | Unprotected endpoint | High | No middleware chain at all |

CLI Options

apiposture scan [path]

Options:
  -o, --output <format>        Output format: terminal, json, markdown (default: terminal)
  -f, --output-file <path>     Write output to file
  -c, --config <path>          Config file path (.apiposture.json)
  --severity <level>           Min severity: info, low, medium, high, critical
  --fail-on <level>            Exit code 1 if findings at this level
  --sort-by <field>            Sort by: severity, route, method, classification
  --sort-dir <dir>             Sort direction: asc, desc
  --classification <types>     Filter: public, authenticated, role-restricted, policy-restricted
  --method <methods>           Filter: GET, POST, PUT, DELETE, PATCH
  --route-contains <str>       Filter routes containing string
  --api-style <styles>         Filter: express, nestjs, fastify, koa
  --rule <rules>               Filter by rule ID (comma-separated)
  --no-color                   Disable colors
  --no-icons                   Disable icons

License Commands:
  apiposture license activate <key>    Activate a license
  apiposture license deactivate        Deactivate current license
  apiposture license status            Show license status

Configuration

Create .apiposture.json in your project root:

{
  "rules": {
    "AP001": { "enabled": true },
    "AP005": { "enabled": true, "options": { "maxRoles": 3 } }
  },
  "suppressions": [
    {
      "ruleId": "AP001",
      "route": "/api/health",
      "reason": "Health check is intentionally public"
    }
  ],
  "scan": {
    "excludePatterns": ["**/test/**"]
  }
}

Supported Frameworks

Express.js

app.get('/path', handler);
router.post('/path', authMiddleware, handler);
app.use('/prefix', router);

NestJS

@Controller('path')
@UseGuards(AuthGuard)
class MyController {
  @Get()
  @Roles('admin')
  handler() {}
}

Fastify

fastify.get('/path', { preHandler: [auth] }, handler);
fastify.route({ method: 'GET', url: '/path', handler });

Koa

router.get('/path', authMiddleware, handler);

CI/CD Integration

# GitHub Actions
- name: Security Scan
  run: npx @apiposture/cli scan --fail-on high -o json -f report.json
# GitLab CI
security-scan:
  script:
    - npx @apiposture/cli scan --fail-on critical

Environment Variables

  • APIPOSTURE_LICENSE_KEY: License key for Pro features

License

MIT