npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

ai-scanner

v1.1.0

Published

CLI tool to scan codebases for LLM SDK usage, AI frameworks, and exposed API tokens

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

aakashbhardwaj27aakashbhardwaj27

Keywords

llmaisecurityscannertokenapi-keyopenailangchainanthropicclidevtoolssecret-detection

Readme

A powerful CLI tool that scans your codebase to detect LLM SDK usage, AI framework integrations, exposed API tokens, and hardcoded secrets — all in one command.

Zero dependencies. 145 detection patterns. Works with Node.js 18+.

Features

  • LLM SDK Detection — OpenAI, Anthropic, Google Gemini, Cohere, Mistral, Groq, Replicate, Together AI, AWS Bedrock, Azure OpenAI, Ollama, LiteLLM, DeepSeek, and more
  • AI Framework Detection — LangChain, LlamaIndex, Haystack, AutoGen, CrewAI, Vercel AI SDK, DSPy, Semantic Kernel, LangGraph, vLLM, and more
  • AI Token Scanning — Detects hardcoded keys for OpenAI (sk-), Anthropic (sk-ant-), Hugging Face (hf_), Google (AIzaSy), AWS (AKIA), Groq (gsk_), Replicate (r8_), LangSmith (ls__), and more
  • Generic Secret Scanning — Stripe, Twilio, SendGrid, GitHub, GitLab, Slack, Discord, Telegram, database URIs, private keys (RSA/SSH/PGP), JWTs, and 50+ more patterns
  • Smart Filtering — Ignores .env files (they're meant to hold secrets) and filters out SDK/framework mentions in READMEs, docs, and example files
  • Model Reference Detection — Spots references to GPT-4, Claude, Gemini, Llama, Mistral, and other models
  • API Endpoint Detection — Finds direct API calls to LLM providers
  • Multiple Output Formats — Rich console output, JSON, and SARIF (for CI/CD)
  • Jupyter Notebook Support — Parses .ipynb files to scan code cells
  • Token Masking — Automatically masks detected secrets in output for safety

Quick Start

# Run directly with npx (no install needed)
npx ai-scanner ./my-project

# Or install globally
npm install -g ai-scanner
ai-scanner ./my-project

Usage

# Scan current directory (AI + generic secrets)
ai-scanner

# Scan a specific directory
ai-scanner ./my-project

# Security-focused: only scan for exposed tokens & secrets
ai-scanner --tokens-only

# AI patterns only (skip Stripe, GitHub tokens, etc.)
ai-scanner --ai-only

# Include .env files in scan (skipped by default)
ai-scanner --scan-env

# Output as JSON
ai-scanner --json

# Save JSON report
ai-scanner -o report.json

# Save SARIF report (GitHub Actions, VS Code, etc.)
ai-scanner --sarif results.sarif

# CI mode: exit with code 1 if critical/high findings
ai-scanner --exit-code

# Skip endpoint/model detection for faster scan
ai-scanner --no-endpoints --no-models

# Combine options
ai-scanner ./src --tokens-only --exit-code --json

Smart Filtering

ai-scanner is context-aware and avoids noisy false positives:

| File type | SDK/Framework mentions | Exposed tokens & secrets | |---|---|---| | Source code (.js, .py, .go, etc.) | ✅ Reported | ✅ Reported | | README, docs, markdown | ❌ Ignored (just documentation) | ✅ Reported | | examples/, samples/, docs/ dirs | ❌ Ignored (just examples) | ✅ Reported | | .env files | ❌ Skipped by default | ❌ Skipped by default | | .env files with --scan-env | — | ✅ Reported |

This means scanning a project like an LLM gateway — which naturally references many SDKs in its README and examples — won't flood you with 100+ informational findings.

CI/CD Integration

GitHub Actions

- name: Scan for exposed tokens & secrets
  run: npx ai-scanner --tokens-only --exit-code --sarif results.sarif

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif

Pre-commit Hook

# .husky/pre-commit
npx ai-scanner --tokens-only --exit-code

Severity Levels

| Level | Meaning | Example | |-------|---------|---------| | 🚨 CRITICAL | Exposed key with known prefix | sk-ant-abc123..., sk_live_..., ghp_... | | ⚠️ HIGH | Likely hardcoded credential | api_key = "...", JWT tokens, DB connection strings | | ℹ️ INFO | SDK/framework usage (awareness) | import openai |

Supported Detections

AI Tokens (20+)

OpenAI keys, Anthropic keys, Google AI keys, HuggingFace tokens, Cohere keys, Replicate tokens, Groq keys, Mistral keys, AWS access keys, LangSmith keys, Fireworks keys, W&B keys, Bearer tokens, Authorization headers

Generic Secrets (59 patterns)

| Category | Detections | |---|---| | Payment | Stripe (live, restricted, webhook), Square, PayPal Braintree | | Communication | Twilio, SendGrid, Mailgun, Mailchimp, Postmark | | Source Control | GitHub (PAT, fine-grained, OAuth, app), GitLab, Bitbucket, CircleCI | | Cloud | GCP service accounts, DigitalOcean, Heroku, Vercel, Netlify, Cloudflare | | Messaging | Slack (bot, user, webhook), Discord (bot, webhook), Telegram | | Database | Postgres/MySQL/MongoDB/Redis/AMQP URIs, Supabase, Firebase, PlanetScale | | Auth | Auth0, Okta, Clerk | | Monitoring | Datadog, Sentry DSN, New Relic, Segment, Mixpanel | | Crypto | RSA, EC, DSA, SSH, PGP private keys | | Generic | Passwords, client secrets, connection strings, JWTs |

LLM SDKs (23)

OpenAI, Anthropic, Google Generative AI, Vertex AI, Cohere, Mistral, Hugging Face, Replicate, Together AI, Groq, AWS Bedrock, Azure OpenAI, Ollama, LiteLLM, Fireworks AI, Perplexity, DeepSeek

AI Frameworks (24)

LangChain, LangGraph, LangSmith, LlamaIndex, Haystack, AutoGen, CrewAI, Semantic Kernel, Vercel AI SDK, DSPy, Guidance, Instructor, Chainlit, Flowise, Embedchain, Promptflow, Spring AI, vLLM, TensorRT-LLM, MLflow, Weights & Biases, Smolagents

Examples

Scan any public GitHub repo:

git clone --depth 1 https://github.com/user/repo /tmp/repo
npx ai-scanner /tmp/repo

Or use the helper scripts in examples/ — GitHub repo scanner, batch scanning, pre-commit hooks, GitHub Actions workflow, and using ai-scanner as a Node.js library.

Contributing

Contributions are welcome! See CONTRIBUTING.md for guidelines.

The easiest way to contribute is adding new detection patterns — see the guide for the pattern format.

License

MIT