badgr-security-scan
v0.1.0
Published
Local-first scan for leaked secrets, unsafe defaults, prompt injection, and dangerous agent tools.
Maintainers
Readme
badgr-security-scan
Scan code, configs, and agent prompts for obvious security risks — leaked secrets, unsafe defaults, prompt injection, and dangerous tool permissions.
npx badgr-security-scan --text "$(cat src/config.ts)"Free. No signup required. Runs entirely on your machine — nothing is sent anywhere.
The problem it solves
AI agents and LLM apps have a new class of security risks: leaked API keys in prompts, exec() calls in agent tools, and prompt injection phrases that hijack agent behavior. Standard linters don't catch these. badgr-security-scan does — in one command, with no setup.
Quick start
# Scan a code snippet
npx badgr-security-scan --text "API_KEY=sk_live_abc123 const client = new OpenAI()"
# Scan a file
npx badgr-security-scan --text "$(cat src/agent.ts)"
# Machine-readable JSON (for CI or pre-commit hooks)
npx badgr-security-scan --text "$(cat src/agent.ts)" --json
# Skip prompt injection checks
npx badgr-security-scan --text "$(cat src/config.ts)" --no-prompt-injectionCLI flags
| Flag | Description |
|------|-------------|
| --text <str> | Text or code snippet to scan (required) |
| --no-prompt-injection | Skip prompt injection pattern checks |
| --json | Output machine-readable JSON |
Exit codes: 0 = no blocking risks found, 1 = risks found
What it checks
| Category | What it looks for | Example |
|---|---|---|
| secret | API keys, tokens, or secrets with 16+ char values | API_KEY=sk_live_abc123456789 |
| unsafe-default | Auth bypasses and TLS disabled | rejectUnauthorized: false, disableAuth |
| dangerous-tool | Shell execution in agent tool code | exec(), child_process, rm -rf |
| prompt-injection | Phrases that hijack agent behavior | "Ignore previous instructions", "exfiltrate" |
Example output
badgr-security-scan
✗ secret API key or token found: API_KEY=sk_live_... (truncated)
✗ dangerous-tool exec() call detected — dangerous in agent tool context
✓ unsafe-default No unsafe auth defaults found
✓ prompt-injection No injection phrases found
2 risks found. Review before deploying.badgr-security-scan
✓ secret No leaked secrets found
✓ unsafe-default No unsafe auth defaults found
✓ dangerous-tool No dangerous tool patterns found
✓ prompt-injection No injection phrases found
All checks passed.TypeScript API
import { runSecurityScan } from "badgr-security-scan";
const result = runSecurityScan({
text: sourceCode,
includePromptInjectionChecks: true, // default: true
});
console.log(result.checks);
// [
// { status: "fail", label: "secret", detail: "API key found: API_KEY=sk_live_..." },
// { status: "pass", label: "unsafe-default", detail: "No unsafe auth defaults found" },
// ...
// ]
if (!result.checks.every(c => c.status === "pass")) {
process.exit(1);
}Types:
interface SecurityScanOptions {
text: string;
includePromptInjectionChecks?: boolean; // default: true
}
interface SecurityScanResult {
checks: DiagnosticCheck[];
report: JsonReport;
}Use in CI / pre-commit
GitHub Actions:
- name: Security scan
run: npx badgr-security-scan --text "$(cat src/agent.ts)" --jsonPre-commit hook (.husky/pre-commit):
npx badgr-security-scan --text "$(git diff --cached --unified=0)" --jsonRequirements
- Node.js 18+
