npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@ktbatterham/external-posture-core

v0.8.0

Published

Low-noise external posture analysis core for web targets.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

ktbatterhamktbatterham

Keywords

securityheaderstlsdnsowaspposturescanner

Readme

@ktbatterham/external-posture-core

npm version npm package License: MIT

Low-noise external posture analysis for public web targets.

This package is the reusable scanner engine extracted from the External Posture Insight app. It is designed for passive or near-passive posture assessment rather than active exploitation or noisy recon.

Safety model

External Posture Insight is passive-first and production-conscious, but it is not magic invisibility dust. A standard scan may make DNS queries, perform TLS handshakes, fetch the target page, follow redirects, query third-party public datasets such as Certificate Transparency / OSV, and run a small set of low-noise HTTP checks. It does not attempt exploitation, brute forcing, authentication bypass, form submission, fuzzing, password testing, or vulnerability exploitation.

Use it only against systems you own or are authorized to assess. Results are heuristic and should be treated as decision support, not a formal penetration test or compliance attestation.

What it covers

  • HTTP security headers and redirect posture
  • TLS and certificate inspection
  • Cookie hygiene
  • Passive HTML inspection
  • AI surface and third-party trust signals
  • Low-noise exposure, CORS, API-surface, and DNS/mail posture checks
  • OWASP/MITRE-aligned finding labels

Current status

This package is published and consumable from npm:

It is also used by the External Posture Insight app from the local workspace during development.

Release workflow

  • local package check: npm run pack:core
  • CI verification: .github/workflows/core-package-checks.yml
  • publish workflow: .github/workflows/publish-core-package.yml
  • publish requires an NPM_TOKEN repository secret

Recommended release flow:

  1. update the version in packages/core/package.json
  2. run npm run test:core
  3. run npm run pack:core
  4. create and push a tag like core-v0.1.1
  5. let the publish workflow release the package

See also:

  • packages/core/CHANGELOG.md
  • packages/core/RELEASING.md

Public API

CLI

The package now includes a pipe-friendly CLI:

npx @ktbatterham/external-posture-core scan example.com

Install globally if you want the short command:

npm install -g @ktbatterham/external-posture-core
epi scan example.com

Scan multiple targets in one run:

npx @ktbatterham/external-posture-core scan example.com github.com bbc.co.uk
epi scan example.com github.com bbc.co.uk

Available output formats:

npx @ktbatterham/external-posture-core scan example.com --format summary
npx @ktbatterham/external-posture-core scan example.com --format json
npx @ktbatterham/external-posture-core scan example.com --format markdown
npx @ktbatterham/external-posture-core scan example.com --format sarif
npx @ktbatterham/external-posture-core scan example.com --format ci-json

The CLI writes machine-readable report output to stdout, and lightweight multi-target progress to stderr only when running interactively. This keeps JSON/SARIF output pipe-friendly.

CI policy modes:

npx @ktbatterham/external-posture-core scan example.com github.com --fail-on warning
npx @ktbatterham/external-posture-core scan example.com --baseline previous-report.json --fail-on-regression
npx @ktbatterham/external-posture-core scan example.com github.com --fail-if-score-below 75
npx @ktbatterham/external-posture-core compare current-report.json baseline-report.json --fail-on critical --fail-on-regression
  • --fail-on sets exit code 1 when findings at or above the selected severity are present.
  • --fail-on-regression sets exit code 1 when the baseline comparison detects a regression (score drop, new issues, or worse HTTP status class).
  • --fail-if-score-below sets exit code 1 when any scanned target score is below the given threshold.

Write results to a file:

npx @ktbatterham/external-posture-core scan example.com --format json --output report.json

Compare against a previously saved JSON report:

npx @ktbatterham/external-posture-core scan example.com --baseline previous-report.json

Compare two saved reports directly:

npx @ktbatterham/external-posture-core compare current-report.json baseline-report.json
npx @ktbatterham/external-posture-core compare current-report.json baseline-report.json --format sarif

Batch scans return:

  • summary: one line per target
  • markdown: a compact comparison table
  • sarif: one SARIF log containing findings across all scanned targets
  • ci-json: compact machine-readable output with policy pass/fail status
  • json:
{
  "analyses": [{ "...": "scan result" }]
}

Direct report comparison returns:

  • summary: score, status, and change summary
  • markdown: a compact comparison report
  • sarif: only findings that are newly introduced in the current report versus the baseline
  • ci-json: compact machine-readable output with policy pass/fail status and diff details
  • json:
{
  "current": { "...": "latest saved report" },
  "baseline": { "...": "older saved report" },
  "diff": { "...": "structured change summary" }
}

Show usage:

npx @ktbatterham/external-posture-core --help

analyzeUrl(url)

Run a full posture analysis for a public target.

import { analyzeUrl } from "@ktbatterham/external-posture-core";

const result = await analyzeUrl("https://example.com");
console.log(result.score, result.grade);

analyzeTarget remains available as a compatibility alias, but analyzeUrl is the primary public entrypoint.

When a baseline report is supplied to the CLI, summary and Markdown output append a Changes Since Baseline section. JSON output returns:

{
  "analysis": { "...": "latest scan result" },
  "diff": { "...": "structured change summary" }
}

analyzeHtmlDocument(url, html)

Run passive HTML/content analysis against a fetched HTML document.

import { analyzeHtmlDocument } from "@ktbatterham/external-posture-core";

const htmlSecurity = analyzeHtmlDocument("https://example.com", "<html>...</html>");
console.log(htmlSecurity.clientExposureSignals);

Notes

  • Only use this against targets you are authorized to assess.
  • The package is intentionally conservative about active probing.
  • Scoring is heuristic and should be treated as a prioritization aid, not an absolute security truth.
  • The author is not responsible for misuse, unauthorized scanning, operational impact, or decisions made from the output without appropriate validation.