npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@snitchplugin/cli

v2.1.14

Published

Snitch CLI. Unified surface for Snitch security audits AND Snitch: Marketing audits. Runs on your device with your own AI provider key; Snitch's servers never receive your code or your audit findings. PKCE login, scope-gated subcommands.

Downloads

3,152

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

snitchpluginsnitchplugin

Keywords

securityauditsnitchcode-reviewsarifstatic-analysisaiclaudecodexgeminiopenroutersastcli

Readme

Snitch CLI

Local AI security scanner. Runs on your laptop with your own Claude Code, Codex, Gemini, or OpenRouter key. Source code never leaves your machine.

You get a markdown report and a SARIF 2.1.0 file, ready for GitHub Code Scanning or any SARIF-aware CI.

Install

npm i -g @snitchplugin/cli

Requires Node 20 or newer. If you don't have Node, use the static binary from Homebrew instead:

brew install snitchplugin/tap/snitch

Both paths put snitch on your PATH.

Authenticate

Existing customers grab their license key at https://snitchplugin.com/login. New sign-ups are currently paused while we manage demand; join the waitlist at https://snitchplugin.com.

snitch auth --key snch_your_key_here

This validates the key against snitchplugin.com, saves it to ~/.snitch/config.json (0600), and never asks again.

Scan

cd your-repo
snitch scan                  # changed files vs origin/main
snitch scan --full           # every tracked file in the repo
snitch scan @src/auth.ts     # one file
snitch scan @packages/api    # an entire folder
snitch scan #123             # files in a specific GitHub PR (requires gh CLI)

Output lands in the repo root as SECURITY_AUDIT_REPORT.md and SECURITY_AUDIT_REPORT.sarif.

What it looks for

68 categories across:

  • Injection and data handling (SQL injection, XSS, SSRF, path traversal, unsafe deserialization)
  • Authentication and session (JWT, OAuth, CSRF, cookie flags)
  • Secrets and credentials (hardcoded keys, .env in git, weak key generation)
  • AI-specific risks (prompt injection, unsanitized LLM output, tool-call abuse)
  • Supply chain (dependency confusion, unsafe post-install, typosquatting)
  • Access control (IDOR, missing authz, RLS bypass)
  • Cryptography (weak hashing, predictable IVs, custom crypto)
  • Platform-specific (Cloudflare Workers, Next.js, Supabase, React Native)

Plan determines how many categories run on each scan. Higher tiers unlock the full set.

Providers

Pick any of these. All run locally; the AI call is a subprocess or a direct API call with your own key.

# Claude Code (default if installed)
snitch scan --provider local-cli --model claude

# OpenAI Codex
snitch scan --provider local-cli --model codex

# Gemini CLI
snitch scan --provider local-cli --model gemini

# Direct OpenRouter (pay by the token)
export OPENROUTER_API_KEY=sk-or-...
snitch scan --provider openrouter

CI

Set SNITCH_LICENSE_KEY as a secret, add a step that installs the CLI, then run snitch scan. The SARIF output uploads cleanly to GitHub Code Scanning.

- run: npm i -g @snitchplugin/cli
- run: snitch scan
  env:
    SNITCH_LICENSE_KEY: ${{ secrets.SNITCH_LICENSE_KEY }}
    OPENROUTER_API_KEY: ${{ secrets.OPENROUTER_API_KEY }}
- uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: SECURITY_AUDIT_REPORT.sarif

Privacy

The CLI talks to snitchplugin.com only for:

  • License key validation
  • Downloading the security methodology your plan entitles you to
  • Posting per-scan counters: file count, finding counts, duration. NO repo name, PR number, or branch.

Your source code is never uploaded. The AI call either runs on your laptop as a subprocess to your installed Claude / Codex / Gemini CLI, or goes directly from your machine to your chosen provider (OpenRouter, etc.) using your own API key.

Links

  • Home: https://snitchplugin.com
  • Sign in: https://snitchplugin.com/login
  • Dashboard: https://snitchplugin.com/dashboard/github
  • Public source mirror: https://github.com/snitchplugin/snitch-cli
  • Support: [email protected]

License

Business Source License 1.1. See LICENSE. Production use requires a current Snitch subscription. Reading, evaluation, and personal use are permitted without one. Converts to Apache 2.0 four years after each release.