npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@esthernandez/vibe-sec-cli

v0.6.0

Published

Headless security scanner for vibe-coded apps — tier-aware secret detection with severity tiers and CI-safe exit codes. Self-contained bundle of the Vibe Sec audit engine; defers to gitleaks/trufflehog when present, in-house Layer A/B/C fallback otherwise

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

esthernandezesthernandez

Keywords

claude-codeclaude-code-pluginsecuritysecret-scannervibe-codingapi-keysleak-detectionci626labs

Readme

@esthernandez/vibe-sec-cli

Headless secret scanner for vibe-coded apps — CI-safe, zero runtime dependencies.

The standalone command-line surface of Vibe Sec. Scans a repo for leaked API keys, tokens, and credentials, classifies them by severity, masks every match, and emits a CI-friendly JSON report plus a terminal banner. Defers to gitleaks / trufflehog when they're on PATH; falls back to the in-house Layer A/B/C engine (provider regex + entropy + AST) when they're absent.

This package is a self-contained bundle — the detection engine and all of its dependencies are inlined into dist/cli.js, so it installs with no transitive npm packages. The richer ten-concern tier-aware audit (auth model, dependency CVEs, config posture, threat model, and so on) ships as the Vibe Sec Claude Code plugin via the /vibe-sec:* slash commands. This CLI is the fast, no-LLM, CI-lane secret scan.

Install

npm install -g @esthernandez/vibe-sec-cli

Or run without installing:

npx @esthernandez/vibe-sec-cli scan

Usage

# Scan the current directory
vibe-sec scan

# Bare invocation is the same as 'scan'
vibe-sec

# Scan a different directory
vibe-sec scan --root ./some-repo

# Write JSON elsewhere
vibe-sec scan --output /tmp/audit.json

# Treat medium findings as CI-breaking (default is "high")
vibe-sec scan --min-severity medium

# Print only JSON (machine-readable, no banner)
vibe-sec scan --json

Exit codes

  • 0 — clean, or findings below --min-severity
  • 1 — findings at or above --min-severity
  • 2 — scanner error (unreadable tree, bad args)

Wire it into CI:

- run: npx @esthernandez/vibe-sec-cli scan --min-severity high

When gitleaks or trufflehog is available on the runner, the CLI defers to it as the tool of record and re-classifies its findings; otherwise it runs the in-house engine. Either way, findings are masked and the exit-code contract is identical.

What it detects

The in-house fallback engine covers the canonical provider-prefix catalog — AWS, GitHub PATs (classic + fine-grained), Stripe (live + test), OpenAI, Anthropic, Google, Slack, DB URLs with embedded credentials, private-key blocks, JWTs, and generic api_key = "..." / secret = "..." assignments — plus an entropy layer and an AST layer for structural matches. Context-aware downgrades apply for example|sample|mock|fake|placeholder|dummy|template|fixture paths, and documented placeholder keys are suppressed.

What it skips

  • node_modules, .git, .venv, venv, dist, build, coverage, .next, .nuxt, .turbo, .cache, __pycache__, .vibe-sec
  • Binary files (png, jpg, pdf, zip, …)
  • Files larger than 1 MB

Output

The scanner writes two artifacts.

Terminal banner

  vibe-sec scan · v0.2.0 · in-house
  342 files scanned · /path/to/repo

  Findings:
    CRITICAL   1
    HIGH       1

    critical AWS_ACCESS_KEY_ID            src/config.ts:1:17
    high     DATABASE_URL_WITH_CREDENTIALS src/config.ts:2:16

  → JSON report: .vibe-sec/state/audit.json

JSON sidecar (.vibe-sec/state/audit.json)

{
  "version": 1,
  "scanner": "vibe-sec",
  "scannerVersion": "0.2.0",
  "toolOfRecord": "in-house",
  "scannedAt": "2026-05-25T01:41:17.418Z",
  "rootDir": "/path/to/repo",
  "filesScanned": 1,
  "counts": { "critical": 1, "high": 1, "medium": 0, "low": 0 },
  "findings": [
    {
      "pattern": "AWS_ACCESS_KEY_ID",
      "severity": "critical",
      "file": "config.js",
      "line": 1,
      "column": 17,
      "match": "AKIAAB…4567",
      "preview": "const awsKey = \"AKIAAB…4567\";",
      "remediation": "Rotate this AWS access key in IAM. Move secrets to environment variables or AWS Secrets Manager."
    }
  ]
}

The match field is always masked — the scanner never prints full secrets to logs or JSON.

Part of 626 Labs. MIT licensed.