npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

argus-codescan

v0.4.4

Published

Security scanner for React, Next.js & Node — SCA, SAST, secrets. No Python or Homebrew. CSV reports, opengrep auto-download.

Readme

argus-codescan

Security scanner for React, Next.js, and Node.js projects. Works on Windows, macOS, and Linux — no Python, no Homebrew, no manual installs.

npm install -D argus-codescan
npx argus-codescan scan all .

npm: https://www.npmjs.com/package/argus-codescan


Install

# In your project
npm install -D argus-codescan

# Or run without adding to package.json
npx argus-codescan scan all .

Requires Node.js 18+.


Quick start

npx argus-codescan scan sca .       # dependency vulnerabilities
npx argus-codescan scan sast .      # source code (JS/TS/JSX)
npx argus-codescan scan secrets .   # leaked API keys & tokens
npx argus-codescan scan all .       # everything above
npx argus-codescan tools            # show what's bundled

Every scan writes a CSV report automatically to your working directory.


Usage by scan type

SCA — dependency scan (scan sca)

Check package.json dependencies for known CVEs (uses npm audit).

npx argus-codescan scan sca .
npx argus-codescan scan sca . --output ./reports/deps.csv

Finds: vulnerable packages (e.g. js-yaml, next, postcss, transitive deps).


SAST — source code scan (scan sast)

Scan your JavaScript / TypeScript / JSX / TSX source files.

npx argus-codescan scan sast .
npx argus-codescan scan sast ./src --fail-on high

Runs automatically (no extra install):

| Scanner | What it checks | |---------|----------------| | argus-native | SQL injection patterns, XSS, eval/exec, weak crypto, hardcoded secrets, CORS | | eslint-security | Unsafe regex, child_process, eval, prototype issues in JS/JSX | | opengrep | Auto-downloads on first scan (Semgrep-compatible deep rules, no pip) |

File types: .js .jsx .ts .tsx .mjs .cjs


Secrets scan (scan secrets)

Find hardcoded credentials in your codebase.

npx argus-codescan scan secrets .
npx argus-codescan scan secrets . --output ./reports/secrets.csv

Finds: API keys, AWS keys, private keys, passwords, tokens in source files.


Full scan (scan all)

Run SCA + SAST + secrets in one command.

npx argus-codescan scan all .
npx argus-codescan scan all . --fail-on high --output ./reports/full.csv

React / Next.js project setup

Add to package.json:

{
  "devDependencies": {
    "argus-codescan": "^0.4.4"
  },
  "scripts": {
    "security:scan": "argus-codescan scan sca . --output ./reports/deps.csv",
    "security:code": "argus-codescan scan sast . --output ./reports/code.csv",
    "security:secrets": "argus-codescan scan secrets . --output ./reports/secrets.csv",
    "security:all": "argus-codescan scan all . --output ./reports/full.csv"
  }
}

Run:

npm run security:scan      # dependencies only
npm run security:code      # source code only
npm run security:all       # full audit

Add reports/ to .gitignore if you don't want CSV files committed.


CLI options

| Option | Description | |--------|-------------| | --output, -o FILE | CSV output path (default: argus-<type>-<timestamp>.csv) | | --no-csv | Skip writing CSV file | | --format json | Print JSON to terminal instead of table | | --format csv | Print CSV to terminal | | --fail-on high | Exit code 1 if high+ findings (for CI/CD) |

Examples:

npx argus-codescan scan all . --format json
npx argus-codescan scan sast . --no-csv
npx argus-codescan scan sca . --fail-on moderate

CI/CD (GitHub Actions)

- name: Security scan
  run: |
    npm install
    npx argus-codescan scan all . --fail-on high --output ./reports/security.csv

MCP server (optional — for Cursor / Claude)

For AI-assisted scanning, use the Python MCP server:

pip install argus-scan
argus mcp

Or configure Cursor (~/.cursor/mcp.json):

{
  "mcpServers": {
    "argus": { "command": "uvx", "args": ["argus-scan", "mcp"] }
  }
}

The npm package is for direct CLI scanning in Node projects — no MCP required.


Java, PHP, Flutter, Terraform, Ansible?

This npm package is for Node / React / Next.js only.

For other languages, use the Python package:

pip install argus-languages
argus-languages scan /path/to/flutter-app
argus-languages scan /path/to/terraform

Full suite with MCP:

pip install argus-scan
argus scan code /path/to/project

Optional enhancements (not required)

| Tool | Install | Adds | |------|---------|------| | Gitleaks | gitleaks.io | Deeper secret scanning | | semgrep | pip install semgrep | Used instead of opengrep if on PATH |

Everything works without these — opengrep auto-downloads on first SAST scan.


Related packages

| Package | Install | Best for | |---------|---------|----------| | argus-codescan | npm install argus-codescan | React, Next.js, Node.js | | argus-languages | pip install argus-languages | Java, PHP, Flutter, Terraform, Ansible | | argus-scan | pip install argus-scan | Full CLI + MCP + DAST |


License

MIT — see GitHub.