npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@apiposture/pro

v1.8.8

Published

Advanced security analysis CLI for Node.js APIs — OWASP rules, secrets detection, risk scoring, diff mode, and historical tracking

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

blago.culjakblago.culjak

Keywords

securityapiowaspsecretsrisk-scoringexpressnestjsfastifykoaclistatic-analysis

Readme

ApiPosture Pro for Node.js

Professional security extension for Node.js API security scanning

Extends the open-source ApiPosture CLI for Node.js with advanced security rules, secrets detection, diff mode, historical tracking, and risk scoring.

🔒 100% Local Analysis - Your code never leaves your machine. All scanning is performed locally on your computer or CI/CD runner.

Features

Free Rules (AP001-AP008)

Included automatically — public endpoint detection, missing auth, authorization conflicts, sensitive route keywords, and more.

Pro Rules — OWASP Top 10 (AP101-AP108)

| ID | Name | Severity | What it detects | |----|------|----------|-----------------| | AP101 | Broken Access Control | Critical | Missing auth middleware, IDOR, database writes without auth, GET→destructive ops | | AP102 | Cryptographic Failures | High | Weak hashing (MD5/SHA1), hardcoded crypto keys, sensitive data logging | | AP103 | Injection Vulnerabilities | Critical | Raw SQL with string interpolation, eval(), insecure deserialization, child_process.exec with user input | | AP104 | Insecure Design | High | Missing CSRF protection, missing input validation, missing rate limiting | | AP105 | Security Misconfiguration | Medium | Permissive CORS (origin: *), missing Helmet, exposed stack traces, debug mode in prod | | AP106 | Vulnerable Components | Medium | Legacy API patterns, deprecated frameworks, Node.js below 18 | | AP107 | Authentication Failures | High | Missing audit logging on DELETE, plaintext password comparison | | AP108 | SSRF Vulnerabilities | High | axios/fetch/http.get with user input, URL construction from variables |

Pro Rules — Secrets & File-Level

| ID | Name | Severity | |----|------|----------| | AP201 | Secrets in Code (30+ patterns: AWS, Azure, GCP, GitHub, Stripe, JWT, DB strings) | Critical | | AP301–AP3xx | File-level: app.js/server.js misconfig, template XSS (<%- %>, {{{ }}}), eval(), insecure deserialization | Mixed |

Additional Pro Features

  • Risk Scoring — severity 40%, exposure 25%, sensitivity 25%, density 10%
  • Diff Mode — compare baseline vs current scan
  • History Tracking — SQLite-backed scan history with trends
  • Method Body Analysis — inspects route handlers and middleware

Supported Frameworks

Express.js, NestJS, Fastify, Koa

Installation

# Install Pro CLI
npm install -g @apiposture/pro

# Activate your license
apiposture-pro license activate XXXX-XXXX-XXXX-XXXX

# Verify activation
apiposture-pro license status

CI/CD: set license via environment variable

# The JWT token is stored in ~/.apiposture/license.json after activation.
# Use this JWT token (not the raw license key) as your CI secret:
export APIPOSTURE_LICENSE_KEY=<jwt-token-from-license.json>

Note: APIPOSTURE_LICENSE_KEY must contain the JWT token — not the raw XXXX-XXXX-XXXX-XXXX key. If set to a raw key the tool will warn and fall back to free-tier rules.

Usage

Scan

apiposture-pro scan /path/to/your/api
apiposture-pro scan . --output json --output-file report.json
apiposture-pro scan . --fail-on high
apiposture-pro scan . --severity medium

Diff Mode

apiposture-pro scan . --output json --output-file baseline.json
# ... make changes ...
apiposture-pro scan . --output json --output-file current.json
apiposture-pro diff baseline.json current.json

History

apiposture-pro history list
apiposture-pro history trend --path /path/to/api
apiposture-pro history show <scan-id>

License

apiposture-pro license status
apiposture-pro license deactivate

Enterprise

Enterprise features require an Enterprise license.

Compliance Reports

Generate SOC 2 / ISO 27001 compliance reports mapped to your scan findings:

apiposture-pro compliance report . --framework soc2 --output both
apiposture-pro compliance report . --framework iso27001 --output pdf --operator "Acme Corp"
apiposture-pro compliance report . --framework all --output both

Compliance Score in Scan

apiposture-pro scan . --comp-framework soc2
apiposture-pro scan . --comp-framework iso27001

Starter Kits

apiposture-pro compliance starter-kit soc2 ./compliance/
apiposture-pro compliance starter-kit iso27001 ./compliance/

Generates: .apiposture-policy.json, sample-report.html, github-actions/apiposture-pr-gate.yml, github-actions/apiposture-weekly-report.yml, README.md.

Policy Enforcement

Place .apiposture-policy.json in your project root — the scanner reads it automatically:

{
  "zero_tolerance": ["AP201", "AP101"],
  "warn": ["AP103", "AP104"]
}

Operator Attribution

apiposture-pro scan . --operator "Security Team"

Audit Trail Export

apiposture-pro history export --format json
apiposture-pro history export --format pdf --output-file audit-export.pdf
apiposture-pro history export --scan-id 42 --format pdf --output-file audit-42.pdf

Integrity Verification

apiposture-pro verify
apiposture-pro verify --scan-id 42

CI/CD Integration

GitHub Actions

name: Security Scan
on: [push, pull_request]
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
      - run: npm install -g @apiposture/pro
      - run: apiposture-pro scan . --output json --output-file results.json --fail-on high
        env:
          APIPOSTURE_LICENSE_KEY: ${{ secrets.APIPOSTURE_LICENSE_KEY }}
      - uses: actions/upload-artifact@v4
        with:
          name: security-scan-results
          path: results.json

Azure DevOps

steps:
  - task: NodeTool@0
    inputs:
      versionSpec: '20.x'
  - script: npm install -g @apiposture/pro
  - script: apiposture-pro scan . --output json --output-file $(Build.ArtifactStagingDirectory)/results.json
    env:
      APIPOSTURE_LICENSE_KEY: $(ApiPostureLicenseKey)

GitLab CI

security_scan:
  image: node:20
  script:
    - npm install -g @apiposture/pro
    - apiposture-pro scan . --output json --output-file results.json
  variables:
    APIPOSTURE_LICENSE_KEY: $APIPOSTURE_LICENSE_KEY
  artifacts:
    paths:
      - results.json

Privacy

All analysis is performed 100% locally. No code, findings, or project data is uploaded to external servers. Only the license key is sent to api.apiposture.com during activation/validation. SQLite history is stored at ~/.apiposture/history.db.

License Tiers

| Feature | Pro | Enterprise | |---------|-----|------------| | Free rules (AP001-AP008) | ✓ | ✓ | | OWASP rules (AP101-AP108) | ✓ | ✓ | | Secrets detection (AP201) | ✓ | ✓ | | File-level scanning (AP3xx) | ✓ | ✓ | | Diff mode | ✓ | ✓ | | Historical tracking | ✓ | ✓ | | Risk scoring | ✓ | ✓ | | Compliance reports (SOC 2 / ISO 27001) | — | ✓ | | Compliance score + trend | — | ✓ | | Starter kits | — | ✓ | | Policy enforcement | — | ✓ | | Audit trail export | — | ✓ | | Operator attribution | — | ✓ | | Integrity verification | — | ✓ |

Development Setup

This project depends on the free @apiposture/cli package via a local file: reference. Clone and build it first as a sibling directory:

git clone https://github.com/BlagoCuljak/ApiPosture.Node.js.git
cd ApiPosture.Node.js && npm install && npm run build && cd ..

git clone https://github.com/ApiPosture/ApiPosturePro.Node.js.git
cd ApiPosturePro.Node.js && npm install
npm run lint && npm run build && npm test

Links

Changelog

1.1.0

  • Enterprise tier: compliance reports (SOC 2 / ISO 27001), compliance score, starter kits, policy enforcement, audit trail export, operator attribution, integrity verification

1.0.0 (2025-02-24)

  • Initial release: OWASP Top 10 rules (AP101-AP108), file-level scanning, secrets detection (AP201), diff mode, history tracking, risk scoring

Copyright © 2025 ApiPosture. All rights reserved. | License Terms