npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@onamfc/security-scanner

v1.0.0

Published

Enterprise-grade CLI security scanner for detecting secrets and vulnerabilities in codebases

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

onamfconamfc

Keywords

securityscannersecretssastclivulnerabilityapi-keyssecurity-scannercode-analysis

Readme

Security Scanner

Enterprise-grade CLI security scanner for detecting exposed secrets and code vulnerabilities in your codebase.

Features

  • Secret Detection: 50+ patterns for API keys, tokens, passwords, and credentials

    • AWS, GitHub, Slack, Stripe, Google Cloud, Azure
    • Private keys (RSA, SSH, PGP)
    • Database connection strings
    • Generic API keys and tokens

  • SAST Vulnerability Detection: 30+ patterns for common security issues

    • SQL Injection
    • Cross-Site Scripting (XSS)
    • Command Injection
    • Path Traversal
    • Hardcoded Credentials
    • Insecure Cryptography
    • And more...

  • Entropy Analysis: Detect unknown secrets using Shannon entropy calculation

  • Performance: Parallel scanning with worker threads

  • Multiple Output Formats:

    • Terminal (colored tables)
    • JSON
    • SARIF 2.1.0 (GitHub integration)

  • Configurable: .secscanrc.json, .secscanrc.js, or package.json

  • Smart Filtering: Respects .gitignore and skips binary files

Installation

Global Installation

npm install -g @onamfc/security-scanner

Local Installation (Per-Project)

npm install --save-dev @onamfc/security-scanner

Usage

Basic Scan

# Scan current directory
secscan scan

# Scan specific directory
secscan scan /path/to/project

With Options

# Enable entropy detection
secscan scan --entropy

# Output as JSON
secscan scan --output json

# Save to file
secscan scan --output sarif --file results.sarif

# Custom entropy threshold
secscan scan --entropy --entropy-threshold 5.0

# Additional ignore patterns
secscan scan --ignore "**/*.test.ts" "**/*.spec.ts"

List Patterns

# List all patterns
secscan patterns

# Filter by category
secscan patterns --category secret
secscan patterns --category sast

# Filter by severity
secscan patterns --severity critical

Create Configuration File

# Create .secscanrc.json
secscan init

# Create .secscanrc.js
secscan init --format js

Configuration

Create a .secscanrc.json file in your project root:

{
  "ignore": [
    "**/node_modules/**",
    "**/dist/**",
    "**/.git/**",
    "**/test/**"
  ],
  "customPatterns": [],
  "enableEntropy": false,
  "entropyThreshold": 4.5,
  "outputFormat": "terminal",
  "parallel": true,
  "workers": 4
}

Or use package.json:

{
  "secscan": {
    "ignore": ["**/test/**"],
    "enableEntropy": true
  }
}

Custom Patterns

Add custom detection patterns:

{
  "customPatterns": [
    {
      "id": "custom-api-key",
      "description": "Company API Key",
      "regex": "MYCOMPANY_[A-Z0-9]{32}",
      "keywords": ["MYCOMPANY_"],
      "severity": "critical",
      "category": "secret"
    }
  ]
}

Programmatic Usage

import { scan, formatTerminalOutput } from '@onamfc/security-scanner';

const config = {
  path: '/path/to/scan',
  enableEntropy: true,
  outputFormat: 'terminal',
};

const result = await scan(config);
console.log(formatTerminalOutput(result));

// Exit with appropriate code
process.exit(result.findings.length > 0 ? 1 : 0);

Output Formats

Terminal (Default)

Colored table output with severity badges and file locations.

JSON

{
  "findings": [
    {
      "type": "aws-access-key-id",
      "description": "AWS Access Key ID",
      "severity": "critical",
      "file": "/path/to/file.ts",
      "line": 42,
      "column": 15,
      "match": "AKIA***",
      "context": "const key = 'AKIAIOSFODNN7EXAMPLE';",
      "category": "secret"
    }
  ],
  "filesScanned": 150,
  "duration": 1234,
  "errors": []
}

SARIF 2.1.0

Standard format for integration with GitHub Security, VS Code, and other tools.

secscan scan --output sarif --file results.sarif

CI/CD Integration

GitHub Actions

name: Security Scan

on: [push, pull_request]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: '18'
      - run: npm install -g @onamfc/security-scanner
      - run: secscan scan --output sarif --file results.sarif
      - uses: github/codeql-action/upload-sarif@v2
        if: always()
        with:
          sarif_file: results.sarif

Pre-commit Hook

# .husky/pre-commit
#!/bin/sh
npx secscan scan --no-parallel || exit 1

Exit Codes

  • 0: No issues found
  • 1: Security issues found
  • 2: Scan error

Performance

  • Scans 10,000+ files/second
  • Parallel processing with worker threads
  • Binary file detection and skipping
  • Memory-efficient line-by-line scanning

Patterns Included

Secrets (50+ patterns)

  • AWS Access Keys
  • GitHub Tokens (PAT, OAuth, App)
  • Slack Tokens & Webhooks
  • Google Cloud API Keys
  • Azure Storage Keys
  • Private Keys (RSA, SSH, EC, PGP)
  • Stripe API Keys
  • Database Connection Strings
  • NPM Tokens
  • And many more...

SAST Vulnerabilities (30+ patterns)

  • SQL Injection
  • Cross-Site Scripting (XSS)
  • Command Injection
  • Path Traversal
  • Hardcoded Credentials
  • Weak Cryptography (MD5, SHA1)
  • CORS Misconfiguration
  • Open Redirects
  • JWT Without Verification
  • And many more...

Contributing

Contributions are welcome! Please feel free to submit issues and pull requests.

License

MIT

Support

For issues, questions, or feature requests, please open an issue on GitHub.