npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@apiposture/pro

v1.8.3

Published

Advanced security analysis CLI for Node.js APIs — OWASP rules, secrets detection, risk scoring, diff mode, and historical tracking

Downloads

599

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

blago.culjakblago.culjak

Keywords

securityapiowaspsecretsrisk-scoringexpressnestjsfastifykoaclistatic-analysis

Readme

ApiPosture Pro for Node.js

Professional security extension for Node.js API security scanning

Extends the open-source ApiPosture CLI for Node.js with advanced security rules, secrets detection, diff mode, historical tracking, and risk scoring.

🔒 100% Local Analysis - Your code never leaves your machine. All scanning is performed locally on your computer or CI/CD runner.

Features

🛡️ OWASP Top 10 Security Rules

Advanced detection combining endpoint metadata analysis with deep source code inspection of route handlers and middleware:

  • AP101 - Broken Access Control (Critical) — missing authentication middleware, database writes without auth, IDOR without ownership checks, GET endpoints performing destructive operations
  • AP102 - Cryptographic Failures (High) — weak hashing (MD5/SHA1), hardcoded crypto keys, sensitive data logging
  • AP103 - Injection Vulnerabilities (Critical) — raw SQL queries with string interpolation/concatenation, eval(), insecure deserialization, child_process.exec with user input
  • AP104 - Insecure Design (High) — missing CSRF protection, missing input validation, missing rate limiting
  • AP105 - Security Misconfiguration (Medium) — permissive CORS (origin: *), debug mode in production, missing security headers (Helmet), exposed stack traces, trust proxy misconfiguration
  • AP106 - Vulnerable Components (Medium) — legacy API patterns, deprecated frameworks, end-of-life Node.js versions (below Node.js 18)
  • AP107 - Authentication Failures (High) — missing audit logging on DELETE, plaintext password comparison
  • AP108 - SSRF Vulnerabilities (High) — axios/fetch/http.get with user input, URL construction from variables

📂 File-Level Scanning

Scans entire source files beyond just route handlers:

  • app.js / server.js / index.jserrorHandler exposing stack traces, missing helmet(), missing HTTPS redirect, CORS misconfigured, debug mode without environment guard
  • **Templates (*.ejs, .hbs, .pug)<%- %> / {{{ }}} unescaped output XSS vulnerabilities
  • JavaScript/TypeScript Source Files — Insecure deserialization (node-serialize), hardcoded encryption keys, eval(), Function() constructor
  • **Config Files (.json, .env) — Hardcoded secrets, overly permissive settings
  • package.json — End-of-life Node.js engine versions (below Node.js 18)

🔑 Secrets Detection

  • AP201 - Detects 30+ secret patterns in both source files and route handlers (Critical)
  • AWS, Azure, GCP keys
  • GitHub, Slack, Stripe tokens
  • Database connection strings
  • Private keys and certificates
  • JWT secrets and API keys

📊 Diff Mode

Compare scans over time to track security improvements or regressions:

apiposture-pro diff baseline.json current.json

📈 Historical Tracking

Automatic scan history with SQLite storage:

apiposture-pro history list
apiposture-pro history trend --path /path/to/project

🎯 Risk Scoring

Automated risk assessment based on:

  • Severity (40%)
  • Exposure (25%)
  • Sensitivity (25%)
  • Finding density (10%)

Installation

For Pro Users (Recommended)

Install the standalone Pro tool - includes everything:

# Install Pro CLI (includes scanning + all rules)
npm install -g @apiposture/pro

# Activate your license
apiposture-pro license activate XXXX-XXXX-XXXX-XXXX

# Verify activation
apiposture-pro license status

That's it! Pro tool is fully standalone and includes both free and Pro rules.

For Free Users

If you only need basic rules, install the free CLI:

npm install -g @apiposture/cli

CI/CD Alternative

Set a JWT token via environment variable (no per-machine activation needed). The JWT token is stored in ~/.apiposture/license.json (.token field) after you run license activate on your dev machine.

# On your dev machine, after activation, retrieve the JWT token:
cat ~/.apiposture/license.json | grep '"token"'

# Set it as a CI secret:
export APIPOSTURE_LICENSE_KEY=<jwt-token-from-license.json>

Note: APIPOSTURE_LICENSE_KEY must contain the JWT token from your license file — not your raw license key (XXXX-XXXX-XXXX-XXXX). If you set it to a raw key, the tool will warn and fall back to free-tier rules.

Usage

Scan Your API

Use the Pro CLI for scanning (includes both free and Pro rules):

# Basic scan
apiposture-pro scan /path/to/your/api

# Scan with JSON output
apiposture-pro scan /path/to/your/api --output json --output-file report.json

# Fail build on high/critical findings
apiposture-pro scan /path/to/your/api --fail-on high

# Filter by severity
apiposture-pro scan /path/to/your/api --severity medium

Manage Your License

# Check license status
apiposture-pro license status

# Deactivate license
apiposture-pro license deactivate

Example Output

$ apiposture-pro scan .

API Posture Scan Results
========================

Findings:
  [AP101] Critical: Route '/api/entries' performs database writes without authentication middleware
  [AP102] High: Route '/api/users/hash' uses weak hashing algorithm (MD5/SHA1)
  [AP103] Critical: Route '/api/comments' uses raw SQL query with string concatenation
  [AP105] Critical: CORS configured with origin: * allowing all origins
  [AP105] High: Error handler exposes stack traces without environment check
  [AP103] High: Unescaped output <%- %> used in show.ejs at line 12
  [AP201] Critical: AWS Access Key detected in config.json

Summary:
  Total Findings: 7
  Critical: 4 | High: 3 | Medium: 0 | Low: 0

Scanned 42 routes + 18 files in 1.8s

Automatic History Tracking

Every scan is automatically saved to your local history database (~/.apiposture/history.db):

$ apiposture-pro scan /path/to/api
[scan output...]
Scan saved to history: a1b2c3d4e5f6

# View your scan history
$ apiposture-pro history list

# Show trend for your project
$ apiposture-pro history trend --path /path/to/api

Compare Scans (Diff Mode)

Track security improvements over time:

# Save baseline
apiposture-pro scan /path/to/api --output json --output-file baseline.json

# Make security improvements...

# Scan again
apiposture-pro scan /path/to/api --output json --output-file current.json

# Compare results
apiposture-pro diff baseline.json current.json

View History

Pro automatically records scan history:

# List recent scans
apiposture-pro history list

# View trends over time
apiposture-pro history trend --path /path/to/api

# Show specific scan
apiposture-pro history show <scan-id>

CI/CD Integration

Use ApiPosture Pro in your CI/CD pipeline:

GitHub Actions

name: Security Scan

on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Install ApiPosture Pro
        run: npm install -g @apiposture/pro

      - name: Run security scan
        run: apiposture-pro scan . --output json --output-file results.json --fail-on high
        env:
          # Store the JWT token from ~/.apiposture/license.json as a GitHub secret
          APIPOSTURE_LICENSE_KEY: ${{ secrets.APIPOSTURE_LICENSE_KEY }}

      - name: Upload results
        uses: actions/upload-artifact@v4
        with:
          name: security-scan-results
          path: results.json

Azure DevOps

steps:
  - task: NodeTool@0
    displayName: 'Use Node.js 20'
    inputs:
      versionSpec: '20.x'

  - script: npm install -g @apiposture/pro
    displayName: 'Install ApiPosture Pro'

  - script: apiposture-pro scan . --output json --output-file $(Build.ArtifactStagingDirectory)/results.json
    displayName: 'Security Scan'
    env:
      APIPOSTURE_LICENSE_KEY: $(ApiPostureLicenseKey)

GitLab CI

security_scan:
  image: node:20
  script:
    - npm install -g @apiposture/pro
    - apiposture-pro scan . --output json --output-file results.json
  variables:
    APIPOSTURE_LICENSE_KEY: $APIPOSTURE_LICENSE_KEY
  artifacts:
    paths:
      - results.json

Security Rules Reference

AP101: Broken Access Control

Severity: Critical

Detects missing authentication middleware on sensitive operations, IDOR vulnerabilities, mass assignment risks, privilege escalation endpoints, and GET endpoints performing destructive database operations. Source code analysis detects database writes (.create(), .save(), .insertOne()) on unprotected routes and data access by ID without ownership verification.

Recommendation: Use authentication middleware (Passport, JWT) on all sensitive routes. Verify resource ownership before returning data.

AP102: Cryptographic Failures

Severity: High

Detects sensitive data in URLs, weak hashing algorithms (crypto.createHash('md5'), crypto.createHash('sha1')), hardcoded cryptographic keys, reversible encryption used for passwords, and sensitive data logged via console.log() or template literals.

Recommendation: Use SHA-256+ for hashing, bcrypt/Argon2 for passwords. Store keys in secure configuration. Never log sensitive objects.

AP103: Injection Vulnerability

Severity: Critical

Detects SQL injection via raw queries with string interpolation or concatenation, eval() usage, insecure deserialization (node-serialize), child_process.exec with user input, and XSS via unescaped template output (<%- %>, {{{ }}}).

Recommendation: Use parameterized queries or ORM methods. Avoid eval() entirely. Use child_process.execFile instead of exec. Use escaped template output by default.

AP104: Insecure Design

Severity: High

Detects missing rate limiting on auth endpoints, missing CSRF protection on state-changing routes, POST/PUT routes without input validation, and bulk operations without limits.

Recommendation: Add CSRF protection (csurf), validate input (Joi, Zod, class-validator), implement rate limiting (express-rate-limit).

AP105: Security Misconfiguration

Severity: Medium

Detects exposed debug endpoints, permissive CORS (origin: '*'), missing security headers (Helmet), error handlers exposing stack traces, missing HTTPS redirect, debug/verbose mode in production, and trust proxy misconfiguration.

Recommendation: Use helmet() for security headers. Guard dev middleware with environment checks. Enforce HTTPS. Configure CORS with specific origins.

AP106: Vulnerable Components

Severity: Medium

Detects legacy API patterns, deprecated frameworks, outdated middleware, and end-of-life Node.js engine versions (below Node.js 18) in package.json.

Recommendation: Keep dependencies updated. Migrate legacy patterns to modern alternatives. Upgrade to supported Node.js versions.

AP107: Authentication Failures

Severity: High

Detects weak auth patterns, missing audit logging on DELETE endpoints, plaintext password comparison (=== password), and improper session/token management.

Recommendation: Use bcrypt/Argon2 for password verification. Log all destructive operations. Use MFA and secure session handling.

AP108: SSRF Vulnerability

Severity: High

Detects routes accepting URL parameters, axios.get()/fetch()/http.get() with user input, new URL(variable) construction, webhooks, and proxy functionality.

Recommendation: Validate URL inputs against allowlists. Block internal IP ranges. Use typed HTTP clients with URL validation.

AP201: Secrets in Code

Severity: Critical

Detects 30+ hardcoded secret patterns in both source files and route handler bodies, including cloud keys, service tokens, database credentials, and private keys.

Recommendation: Never hardcode secrets. Use environment variables or secure vaults (AWS Secrets Manager, HashiCorp Vault).

Supported Frameworks

  • Express.js — Full support for route scanning, middleware analysis
  • NestJS — Controller and decorator-based route detection
  • Fastify — Route and plugin analysis
  • Koa — Router and middleware scanning

Privacy & Security

🔒 Your code stays on your machine

  • All analysis is performed 100% locally
  • No code, findings, or project data is uploaded to external servers
  • No telemetry or usage tracking
  • SQLite history database is stored locally on your machine (~/.apiposture/history.db)

License Tiers

Pro License

  • OWASP Top 10 rules (AP101-AP108)
  • Secrets detection (AP201)
  • Diff mode
  • Historical tracking
  • Risk scoring
  • Standard support

Enterprise License

  • All Pro features
  • Priority support
  • Custom rule development
  • Site licenses available

Development Setup

This project depends on the free @apiposture/cli package via a local file: reference. You must clone and build it first as a sibling directory:

# Clone the free CLI (sibling directory)
git clone https://github.com/BlagoCuljak/ApiPosture.Node.js.git
cd ApiPosture.Node.js
npm install
npm run build
cd ..

# Clone this repo
git clone https://github.com/ApiPosture/ApiPosturePro.Node.js.git
cd ApiPosturePro.Node.js
npm install

# Verify everything works
npm run lint
npm run build
npm test

The expected directory structure:

parent/
  ApiPosture.Node.js/      # free CLI (must be built first)
  ApiPosturePro.Node.js/   # this repo

Links

Changelog

1.0.0 (2025-02-24)

  • Initial release
  • OWASP Top 10 security rules (AP101-AP108) adapted for Node.js ecosystems
  • Source code analysis engine: rules inspect route handlers, middleware, and method bodies
  • File-level scanning for app configs, templates (EJS, Handlebars, Pug), and source files
  • Secrets detection (AP201) with 30+ patterns
  • Diff mode for comparing scans
  • Historical tracking with SQLite
  • Risk scoring analysis
  • Support for Express.js, NestJS, Fastify, and Koa

Copyright © 2025 ApiPosture. All rights reserved. | License Terms