bastion-scan
v0.2.2
Published
Privacy-first security checker for web projects. Zero data uploaded, actionable fixes.
Maintainers
Readme
What is this
Bastion scans your code for security issues and tells you how to fix them. It runs on your machine, never uploads your code, and works with any Node.js project.
Cursor (and other AI coding tools) help you build fast, but they regularly ship hardcoded secrets, missing headers, and injection vectors. Enterprise scanners cost £300+/mo and drown you in jargon. Bastion is the middle ground: it catches the stuff that actually matters and explains it in plain English.
Every finding comes with a prompt you can paste into Claude, ChatGPT, or Copilot to get a fix tailored to your stack.
Quick Start
# Scan your project (no install required)
npx bastion-scan scan
# Scan a live URL (headers, SSL, security.txt)
npx bastion-scan scan --url https://yourapp.com
# JSON output for CI/CD
npx bastion-scan scan --format json
# Generate security configs for your stack
npx bastion-scan scan --generate-configsIf you run scans frequently, install globally:
npm install -g bastion-scan
bastion scanTuned for Cursor users
Bastion includes detection rules tuned for patterns that Cursor's AI tends to produce: env vars exposed in client components, missing helmet middleware, Supabase service role keys leaked client-side, placeholder auth that looks real but verifies nothing. Other scanners use generic OWASP rules. Bastion knows what Cursor writes.
Works with Lovable, Replit, Bolt, v0, and any other AI coding tool too — the checks are universal.
Cursor users: add this to .cursorignore first
.gitignore stops secrets from being committed, but Cursor's codebase indexer still reads .gitignored files by default. Add a .cursorignore file to prevent Cursor from ever seeing your secrets:
.env
.env.*
*.pem
*.key
secrets/This single step prevents your keys from leaking into Cursor's context window — and into any AI-generated code that references them.
What it checks
| Check | What it does |
|-------|-------------|
| .gitignore coverage | Makes sure .env, node_modules, and keys are excluded |
| Hardcoded secrets | API keys from OpenAI, Anthropic, GitHub, Stripe, AWS, Google, Slack, and more |
| Dependency audit | Wraps npm audit and maps findings to severity levels |
| .env.example | Checks that a template exists with safe placeholder values |
| security.txt | Validates RFC 9116 Contact + Expires fields |
| Security headers | CSP, HSTS, X-Frame-Options, Referrer-Policy, and more |
| SSL/TLS | HTTPS redirect, cert validity, TLS version |
| Insecure code patterns | eval(), innerHTML, SQL concatenation, exec() |
| CORS config | Catches Allow-Origin: *, bare cors(), credential leaks |
| Rate limiting | Looks for express-rate-limit, @upstash/ratelimit, etc. |
| Auth method | Flags hand-rolled auth, suggests Clerk/Supabase/NextAuth |
| security.txt URL | Fetches and validates the remote file |
| Cookie security | Checks Set-Cookie flags: HttpOnly, Secure, SameSite |
| Server disclosure | Flags Server headers that leak software versions |
| DMARC record | Verifies email authentication policy via DNS |
Stack detection
Bastion figures out what you're running. It detects Next.js, Express, Fastify, Remix, Astro, Nuxt, SvelteKit, Hono, plus databases, auth providers, hosting, and package managers. AI prompts and config suggestions are tailored to your stack.
Output formats
Three options: terminal (colour-coded, score ring, verbose mode), JSON (for CI/CD), and markdown (writes a security-report.md).
Config generators
Bastion can output ready-to-paste configs for your stack:
helmet.jssetup for Express/Fastify- CORS policy
- Rate limiter middleware
- Next.js security headers
.gitignoreadditions
security.txt generator
Interactive CLI that walks you through creating a valid RFC 9116 security.txt:
npx bastion-scan generate security-txtCLI Usage
bastion scan [options]
Options:
-p, --path <dir> Project path (default: current directory)
-f, --format <type> Output format: terminal, json, markdown
-u, --url <url> Live URL to scan (headers, SSL, security.txt)
-v, --verbose Show fix instructions and AI prompts
--generate-configs Print security config snippets for your stack
--output-dir <dir> Write config files to directoryWeb App
The web dashboard lives at bastion.wiki.
- Security Checklist with 20 interactive items and fix panels
- OWASP 2025 guide, all 10 categories in plain language
- URL Scanner for quick header/SSL/security.txt checks
- Vulnerability Feed with current threats and AI coding risks
- Tool Recommendations, 14 curated tools with pricing info
- Stack Checklists generated for your framework + database + auth combo
- Deploy Gate that runs checks and gives a go/no-go verdict
- Security Badge you can embed in your README
Pricing
| | Free | Pro | Team | |---|---|---|---| | Price | £0 | £19/mo or £179/yr | £49/mo or £469/yr | | URL scans | Unlimited | Unlimited | Unlimited | | Security badge | — | Yes | Yes | | Compliance reports | — | — | Yes |
Annual plans save 2 months.
Security Badge
Drop this in your README to show your score:
The shield is green at 80+, yellow at 50+, red below 50. It updates when you re-scan.
GitHub Action
Add this to your CI and Bastion will scan every PR:
name: Security Scan
on: [pull_request]
jobs:
bastion:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: absastreon/bastion-action@v1
with:
path: '.'
fail-on: 'critical' # Block PRs with critical findings
format: 'markdown' # Comment results on PRScoring
You start at 100. Points come off by severity:
| Severity | Deduction | |----------|-----------| | Critical | -15 | | High | -10 | | Medium | -5 | | Low | -2 |
Floor is 0. Only fail results deduct. warn, skip, and pass don't affect the score.
Project Structure
bastion/
├── packages/
│ ├── cli/ # npx bastion-scan scan: security checks and reporters
│ ├── shared/ # Types, checklist data, OWASP data, tools
│ └── web/ # Next.js dashboard
└── docs/playbooks/ # Stack-specific security guidesContributing
PRs are welcome.
- Fork the repo
- Create a feature branch (
git checkout -b feature/amazing-check) - Write tests (Vitest, 80%+ coverage required)
- Run
npm run build && npm run lint && npm run test - Open a PR against
main
See SECURITY.md for vulnerability reporting.
License
MIT. See LICENSE.
