npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@ruizrica/mako-cli

v0.1.5

Published

Mako Security CLI - scan for vulnerabilities in dependencies, code, and infrastructure

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

ruizricaruizrica

Keywords

securitycliscasastiacdastvulnerabilityscanning

Readme

Mako Security CLI

Unified command-line tool for security scanning with server sync and AI-powered microtask fixes.

Features

  • SCA (Software Composition Analysis): Scan dependencies for known vulnerabilities
  • SAST (Static Application Security Testing): Detect secrets and code vulnerabilities
  • IaC (Infrastructure as Code): Scan Terraform, Docker, Kubernetes configs
  • Server Sync: Download vuln intel before scanning, upload results after
  • AI Microtask Fixes: Claude generates targeted fixes with exact file, line, and diff
  • Dashboard Commands: Check status, manage findings, view history from the terminal
  • Unified Reporting: JSON, SARIF, and terminal output formats
  • Policy Gates: Fail builds based on severity thresholds

Quick Start

# Initialize config
mako init

# Run a scan (local only)
mako scan

# Run a scan with AI fixes
ANTHROPIC_API_KEY=sk-ant-... mako scan --fix

# Run a scan with server sync + AI fixes
# (configure api.dsn in .mako-security.yml first)
mako scan --fix

The Pipeline

When fully configured, mako scan runs a 6-step pipeline:

1. SYNC DOWN  → Download vuln intel + config from server
2. SCAN       → Run SCA/SAST/IaC against local files
3. AI FIX     → Generate microtask fixes for each finding
4. PRESENT    → Show findings + fixes in terminal
5. SYNC UP    → Upload results back to server

Each step is optional — the CLI works perfectly offline with no keys configured.

Commands

Scanning

mako scan              # Run all enabled scanners
mako scan --fix        # Run with AI microtask fixes
mako scan:sca          # SCA only
mako scan:sast         # SAST only
mako scan:iac          # IaC only

Dashboard (requires API)

mako status            # Project security posture + feed health
mako findings          # List findings from server
mako findings --severity critical,high
mako findings resolve abc123   # Mark finding as resolved
mako findings ignore def456    # Mark finding as ignored
mako history           # Scan run history
mako history --last 10

AI Microtask Fixes

When --fix is passed and ANTHROPIC_API_KEY is set, the CLI uses Claude to generate targeted fixes:

┌─ CRITICAL ──────────────────────────────────────────────────
│ SQL Injection in user query
│
│ 📁 src/routes/users.ts:47-49
│
│ ❌ Vulnerable:
│   const query = `SELECT * FROM users WHERE id = ${id}`;
│   const result = await db.execute(query);
│
│ ✅ Fixed:
│   const query = `SELECT * FROM users WHERE id = ?`;
│   const result = await db.execute(query, [id]);
│
│ 💡 User input is interpolated directly into the SQL string,
│    allowing arbitrary SQL injection. Use parameterized queries.
│ 🧪 Test: Run existing user query tests, verify parameterized queries
└─────────────────────────────────────────────────────────────

Each fix includes: exact file path, line numbers, actual vulnerable code, drop-in replacement, explanation, and what to test.

Configuration

.mako-security.yml:

version: 1

# Server sync (optional)
api:
  endpoint: https://api.mako.security
  dsn: https://<key>@api.mako.security/api/v1/<project-id>
  auto_upload: true

# AI fixes (optional, also needs ANTHROPIC_API_KEY env var)
ai:
  enabled: true
  model: claude-sonnet-4-20250514
  fix_severity: medium   # minimum severity for fixes

# Scanners
scanners:
  sca:
    enabled: true
    fail_on: high
  sast:
    enabled: true
    fail_on: medium
  iac:
    enabled: true
    fail_on: high
  dast:
    enabled: false

# Suppress findings
ignore:
  cves: []
  rules: []
  paths: []

Options

--json                Output as JSON
--sarif               Output in SARIF format
--quiet, -q           Suppress output
--fix                 Generate AI microtask fixes
--fix-severity LEVEL  Minimum severity for AI fixes (default: medium)
--config FILE         Custom config file path
--output FILE, -o     Write results to file
--severity-threshold  Override threshold (critical, high, medium, low, info)

Exit Codes

  • 0: All findings below threshold (pass)
  • 1: Findings at or above threshold (fail)

Server-Side Vulnerability Intelligence

When connected to the Mako API, the server continuously syncs vulnerability data:

| Feed | Source | Schedule | |------|--------|----------| | NVD | NIST National Vulnerability Database | Every 30 min | | OSV | Google Open Source Vulnerabilities | Every 30 min | | GHSA | GitHub Security Advisories | Every 30 min | | EPSS | FIRST.org Exploit Prediction Scores | Daily | | CISA KEV | Known Exploited Vulnerabilities | Every 30 min |

The CLI syncs this data before scanning, enriching SCA findings with CVSS scores, EPSS probabilities, and CISA KEV flags.

License

MIT