npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@securitychecks/cli

v0.4.0

Published

SecurityChecks CLI - Verify security invariants in your backend code

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

mowens3mowens3

Keywords

securitycheckssecurityinvariantsbackendauthorizationcode-reviewcistatic-analysiswebhooksidempotencytenant-isolationrate-limiting

Readme

@securitychecks/cli

Verify security invariants in your backend code. Auth enforcement, injection safety, access control, webhook idempotency, and more — with evidence.

Quick Start

npx @securitychecks/cli run

That's it. No signup required. The CLI runs locally and your code never leaves your machine.

Installation

# Global install
npm install -g @securitychecks/cli

# Then run
scheck run

What It Checks

SecurityChecks enforces backend invariants that cause production incidents:

| Invariant | What It Catches | |-----------|-----------------| | AUTHZ.SERVICE_LAYER | Service methods callable without authorization | | WEBHOOK.IDEMPOTENT | Webhooks that double-process on retry | | WEBHOOK.SIGNATURE.VERIFIED | Unverified webhook signatures | | TRANSACTION.SIDE_EFFECTS | Emails/notifications sent before commit | | CACHE.INVALIDATION | Stale permissions after auth changes | | DATAFLOW.UNTRUSTED.SQL | SQL injection via string interpolation | | AUTHZ.RLS.MULTI_TENANT | Missing tenant isolation in queries |

Commands

scheck run

Verify your codebase against security invariants.

# Basic scan
scheck run

# Scan specific path
scheck run --path ./src

# CI mode - fail on new violations
scheck run --ci

# Output as JSON
scheck run --json

# Generate SARIF report (for GitHub Code Scanning)
scheck run --sarif report.sarif

# Show posture report (invariant-by-invariant pass/fail)
scheck run --posture

# Export JSON proof artifact
scheck run --posture-report posture.json

# Only check changed files
scheck run --changed

# Watch mode
scheck run --watch

Options:

  • -p, --path <path> - Target path (default: current directory)
  • --changed - Only check changed files (requires git)
  • --ci - CI mode - fail on new violations
  • --all - Show all findings including P2
  • --only <invariants...> - Only run specific checks
  • --skip <invariants...> - Skip specific checks
  • --json - Output as JSON
  • --sarif <path> - Write SARIF report
  • --posture - Show invariant-by-invariant posture view
  • --posture-report <path> - Write JSON proof artifact
  • -v, --verbose - Verbose output
  • -w, --watch - Watch for changes

scheck explain <invariant>

Get a deep-dive on any invariant - why it matters, what good looks like.

scheck explain AUTHZ.SERVICE_LAYER
scheck explain WEBHOOK.IDEMPOTENT

scheck list-invariants

List all supported invariants (optionally filtered).

# Human-readable list
scheck list-invariants

# Filter by severity/category
scheck list-invariants --severity P0
scheck list-invariants --category webhooks

# JSON for scripting
scheck list-invariants --json

scheck generate-test <invariantId>

Generate a test skeleton that proves an invariant is enforced.

scheck generate-test WEBHOOK.IDEMPOTENT
scheck generate-test AUTHZ.SERVICE_LAYER.ENFORCED --framework jest

scheck preflight

Quick deployment readiness check — a curated subset of invariants focused on "is this safe to ship?"

# Interactive checklist
scheck preflight

# JSON output for CI gates
scheck preflight --json

# Check specific path
scheck preflight --path ./src

Returns a readiness score (0-100) and pass/fail for each check.

scheck baseline

Manage known issues so you can adopt incrementally.

# Mark current findings as known
scheck baseline --update

# Show current baseline
scheck baseline --show

# Remove stale entries
scheck baseline --prune

scheck waive <findingId>

Temporarily waive a finding with a reason and expiration.

scheck waive AUTHZ.SERVICE_LAYER:src/services/user.ts:42 \
  --reason-key will_fix_later \
  --reason "Auth handled by upstream middleware" \
  --expires 30d

scheck init

Initialize SecurityChecks in your project.

# Basic init
scheck init

# With git pre-commit hook
scheck init --hooks

scheck waiver

View and manage temporary waivers.

# Show all active waivers
scheck waiver --show

# Show waivers expiring within 7 days
scheck waiver --expiring

# Remove expired waivers
scheck waiver --prune

scheck feedback <invariantId>

Report whether a finding was a true positive or false positive.

scheck feedback WEBHOOK.IDEMPOTENT --verdict fp --reason not_applicable

Cloud Features (Optional)

Connect to SecurityChecks cloud for dashboards, team collaboration, and CI integration.

# Login with API key
scheck login --api-key sk_xxx

# Or set environment variable
export SECURITYCHECKS_API_KEY=sk_xxx

# Sync findings to dashboard
scheck sync --project my-project

# Check login status
scheck login --check

# Log out
scheck logout

scheck config

Manage cloud configuration.

# Show current config
scheck config --show

# Set default project
scheck config --project my-project

# Enable/disable cloud mode
scheck config --cloud-enabled
scheck config --no-cloud-enabled

# Clear all config
scheck config --clear

Get your API key at securitychecks.ai.

CI Integration

GitHub Actions

- name: Run SecurityChecks
  run: npx @securitychecks/cli run --ci

With baseline (recommended)

- name: Run SecurityChecks
  run: |
    npx @securitychecks/cli run --ci
  # Fails only on NEW findings, not baselined ones

Privacy

  • Local execution: All analysis runs on your machine
  • No code upload: Your code never leaves your environment
  • Cloud optional: Dashboard sync is opt-in only

Links

License

Apache-2.0. See LICENSE for details.