@goguard/scan
v0.1.0
Published
Security scanner for AI-generated code — finds hardcoded secrets, missing auth, data leaks, insecure configs
Readme
@goguard/scan
Security scanner for your codebase. Finds hardcoded secrets, missing auth, data leaks, insecure configs, and more — before you push.
Requires a GoGuard API key. Get yours at dashboard.goguard.dev/settings.
Install & Run
npx @goguard/scan --api-key sk_live_...Or set the key once as an env var:
export GOGUARD_API_KEY=sk_live_...
npx @goguard/scanScans the current directory by default. Pass a path to scan a specific folder:
npx @goguard/scan ./srcWhat it checks
| Check | Severity | Examples |
|-------|----------|---------|
| Hardcoded secrets | Critical | AWS keys, Stripe keys, GitHub tokens, DB passwords, private keys |
| Committed sensitive files | Critical | .env, credentials.json, *.pem in repo |
| Missing .gitignore | Critical | No .gitignore or missing key entries |
| Missing auth middleware | Critical/High | Routes like /admin/* without auth/jwt/session middleware |
| Raw SQL concatenation | High | `SELECT * FROM users WHERE id = ${id}` |
| Response data leaks | High | API returning password, secret, token fields |
| Insecure dependencies | High | Known CVEs via npm audit / pip audit |
| Supabase misconfig | Critical/High | Missing RLS, public storage, service role key in frontend |
| Firebase misconfig | Critical/High | allow read, write: if true in security rules |
| Weak JWT secrets | High | Short or common secrets like secret, password |
Options
--api-key GoGuard API key (or set GOGUARD_API_KEY env var)
--json Output results as JSON
--fail-on Exit code 1 if issues at this severity or above (critical, high, medium, low)
--help Show helpCI / GitHub Action
- uses: goguard/scan@v1
with:
api-key: ${{ secrets.GOGUARD_API_KEY }}
fail-on: highResults are automatically sent to your GoGuard dashboard under Vulnerabilities.
Example output
GoGuard Security Scan
Scanned 42 files in 320ms
5 issues found:
● 2 CRITICAL
● 3 HIGH
CRITICAL (2):
● .env:1
Stripe Secret Key found in source code
Fix: Move to server-side env var, never expose in frontend
● .gitignore
No .gitignore file found
Fix: Create a .gitignore with .env, node_modules, and sensitive file patterns
HIGH (3):
● src/routes/admin.ts:12
No auth middleware on GET /api/admin/users
Fix: Add authentication middleware before the route handler
...