npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

checkship-cli

v0.2.0

Published

Security scanner for AI-built apps. Check before you ship.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

spawncampspawncamp

Keywords

securityscannercliaivibe-coding

Readme

checkship-cli

Security scanner for AI-built apps. Check before you ship.

$ checkship scan

CheckShip v0.1.0

Scanning myapp...

CRITICAL (1)
  ✗ OpenAI API Key found
    src/config.js:12
    sk-pr********************3d

HIGH (2)
  ✗ SQL query with string concatenation
    src/db.js:45
    query("SELECT * FROM users WHERE id = " + id...
  ✗ Sensitive route /api/admin may lack auth
    src/routes/admin.js:8
    router.get('/api/admin', async (req, res) =>...

─────────────────────────────────────────
1 critical · 2 high · 0 medium · 0 low

Full explanations + fixes: checkship.dev

Install

# Run directly with npx
npx checkship-cli scan

# Or install globally
npm install -g checkship-cli
checkship scan

Usage

# Scan current directory
checkship scan

# Scan specific path
checkship scan ./my-app

# Output as JSON (for CI/scripting)
checkship scan --format=json

# Output as SARIF (for GitHub Code Scanning)
checkship scan --format=sarif > results.sarif

# Only show high and critical issues
checkship scan --severity=high

# CI mode (exits with code 1 if high/critical issues found)
checkship scan --ci

# Run specific checks only
checkship scan --check secrets/hardcoded --check sql/injection

# List all available checks
checkship list-checks

# Create config file
checkship init

Security Checks

| Check | Severity | What it finds | |-------|----------|---------------| | secrets/hardcoded | Critical | API keys, tokens, passwords, connection strings in code | | deps/vulnerabilities | Critical | Known CVEs in npm/pip dependencies | | sql/injection | High | SQL queries built with string concatenation | | auth/missing-middleware | High | Sensitive routes (/admin, /users) without auth middleware | | auth/plain-passwords | High | Passwords stored or compared without hashing | | config/cors-permissive | High | CORS configured to allow any origin | | info/stack-traces | High | Error handlers exposing stack traces to users | | ai/prompt-injection | High | User input passed directly to AI prompts |

Configuration

Create a .checkshiprc.json in your project root:

{
  "ignore": [
    "test/**",
    "**/*.test.ts",
    "**/*.spec.ts"
  ],
  "severity": "high",
  "exclude": ["deps/vulnerabilities"]
}

Or run checkship init to generate one.

CI Integration

GitHub Actions

name: Security Scan
on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run CheckShip
        run: npx checkship-cli scan --ci

With GitHub Code Scanning (SARIF)

name: Security Scan
on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4

      - name: Run CheckShip
        run: npx checkship-cli scan --format=sarif > results.sarif
        continue-on-error: true

      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

Exit Codes

| Code | Meaning | |------|---------| | 0 | No issues found (or none above threshold) | | 1 | High or critical issues found (in --ci mode) |

Supported Languages

  • JavaScript/TypeScript - Full support (secrets, SQL injection, auth, passwords, npm audit)
  • Python - Partial support (secrets, pip audit)

What's Next

This is the open source CLI. For friendly explanations, fix instructions, and shareable reports, check out checkship.dev.

License

MIT