npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

ciphernest

v0.8.8

Published

AI-aware security scanner for VS Code — code vulnerabilities, LLM risks, secrets, dependencies, MCP & agent security

Readme

CipherNest

Open Source AI Application Security Platform

Version License OWASP Node

Most security tools were built before AI agents existed.
CipherNest was built for the world where your code ships with an LLM attached to a database.


Why CipherNest?

Most security tools stop at source code.

CipherNest secures the entire AI application stack.

| Layer | Coverage | | ---------------------------- | -------- | | Application Code | ✓ | | AI Prompts | ✓ | | AI Agents | ✓ | | MCP Servers | ✓ | | Secrets & Credentials | ✓ | | Dependencies & Supply Chain | ✓ | | GitHub Actions & CI/CD | ✓ | | Docker & Containers | ✓ | | Kubernetes | ✓ | | Infrastructure as Code | ✓ | | Runtime MCP Tool Calls | ✓ | | Attack Chains & Threat Paths | ✓ |

from a single security engine.


Comparison

| Feature | CipherNest | Semgrep | Snyk | SonarQube | | ------------------- | ---------- | ------- | ------- | --------- | | Code Security | ✓ | ✓ | ✓ | ✓ | | LLM Security | ✓ | ✗ | Partial | ✗ | | MCP Security | ✓ | ✗ | ✗ | ✗ | | Agent Security | ✓ | ✗ | ✗ | ✗ | | Prompt Injection | ✓ | ✗ | ✗ | ✗ | | Attack Graphs | ✓ | Partial | Partial | ✗ | | Runtime MCP Gateway | ✓ | ✗ | ✗ | ✗ | | Security Benchmark | ✓ | ✗ | ✗ | ✗ |


Quick start

npx ciphernest scan .
ciphernest benchmark .

Add CipherNest to any AI agent through MCP:

{
  "mcpServers": {
    "ciphernest": {
      "command": "npx",
      "args": ["-y", "@ciphernest/mcp-server"]
    }
  }
}

What CipherNest covers

| Layer | What it scans | | ---------------- | ---------------------------------------------------------------------------------------------- | | Code | OWASP Top 10 — SQLi, XSS, eval, path traversal, XXE, SSRF, RCE | | LLM / AI | OWASP LLM Top 10 — prompt injection, excessive agency, insecure output, training poisoning | | Secrets | 21 provider patterns — OpenAI, AWS, GitHub, Stripe, Anthropic, GCP, Twilio, SendGrid | | Dependencies | CVE lookup via OSV.dev for npm and pip | | MCP configs | Dangerous tool permissions, wildcard grants, missing auth in Claude/Cursor/Cline configs | | AI Agents | LangChain, CrewAI, AutoGen, OpenAI Agents — tool over-permissioning, missing human-in-the-loop | | Supply chain | Typosquat detection, install script analysis, lockfile integrity, dependency confusion | | CI/CD | GitHub Actions and GitLab CI — script injection, unpinned actions, secret leaks | | Docker | Dockerfile hardening — root user, secrets in layers, privileged mode | | IaC | Terraform, CloudFormation, Kubernetes — public S3, open security groups, unencrypted storage |


Run anywhere

CipherNest is a monorepo. All scanner logic lives once in @ciphernest/core. Every client is a thin wrapper.

CLI

npx ciphernest scan .
  ╔═══════════════════════════════╗
  ║   CipherNest Security Scanner  ║
  ╚═══════════════════════════════╝

── CODE ──────────────────────────────
[CRITICAL] CODE001  Dangerous eval()
  src/api.ts:42
  Fix: Replace eval() with JSON.parse() or safer alternatives

── SECRET ──────────────────────────────
[CRITICAL] SEC001  OpenAI API Key
  config.ts:7  sk-proj-ab***REDACTED***

── LLM ──────────────────────────────
[HIGH    ] LLM001  Direct Prompt Injection Risk
  src/chat.ts:18

12 finding(s)  6 critical  6 high  0 medium

Security Grade: C  (score: 65/100)
✅ PASS — no findings at or above high severity

Options:

ciphernest scan .                          # table output (default)
ciphernest scan . --format json            # JSON output
ciphernest scan . --format sarif           # SARIF for GitHub Code Scanning
ciphernest scan . --severity high          # only high and above
ciphernest scan . --fail-on critical       # exit 1 only on critical
ciphernest scan . --no-llm --no-agent      # skip specific scanners
ciphernest scan . --no-docker --no-iac     # skip infrastructure scanners

GitHub Action

- name: CipherNest Security Scan
  uses: ciphernest/scan-action@v1

- name: Upload SARIF to Code Scanning
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: ciphernest-results.sarif

On every pull request, CipherNest posts:

  • Inline annotations in the diff (red for critical/high, yellow for medium)
  • A PR comment with the security grade and scanner breakdown
  • A SARIF file for GitHub Code Scanning integration
## 🟠 CipherNest Security Scan

Security Grade: B  (82/100)

| Severity | Count |
|----------|-------|
| 🔴 Critical | 0 |
| 🟠 High | 2 |
| 🟡 Medium | 5 |

### Top Findings

| Rule     | Severity | Name                      | Location        |
|----------|----------|---------------------------|-----------------|
| `LLM001` | 🟠 high  | Direct Prompt Injection   | `chat.ts:18`    |
| `CICD002`| 🟠 high  | Unpinned GitHub Action    | `ci.yml:14`     |

Action inputs:

- uses: ciphernest/scan-action@v1
  with:
    path: "." # directory to scan (default: .)
    severity: "low" # minimum severity to report (default: low)
    fail-on: "high" # exit 1 if any finding at this level (default: high)
    post-pr-comment: "true"
    sarif-output: "ciphernest-results.sarif"
    github-token: ${{ secrets.GITHUB_TOKEN }}

Action outputs: findings-count, critical-count, high-count, security-grade, sarif-file

MCP Server

Add CipherNest to any AI agent — Claude Desktop, Cursor, Windsurf, LangGraph, Mastra, OpenAI Agents:

{
  "mcpServers": {
    "ciphernest": {
      "command": "npx",
      "args": ["-y", "@ciphernest/mcp-server"]
    }
  }
}

Available tools:

| Tool | Description | | -------------------- | ----------------------------------------------------------------------- | | scan_repository | Full scan of a local directory — all scanners, returns grade + findings | | scan_code | Scan a code snippet for OWASP Top 10 vulnerabilities | | scan_llm_code | Scan LLM/agent code for OWASP LLM Top 10 risks | | scan_secrets | Detect hardcoded secrets and credentials | | scan_mcp_config | Audit an MCP server config for dangerous permissions | | scan_agent_code | Audit agent tool registrations for excessive permissions | | scan_cicd | Scan CI/CD pipeline files for supply chain risks | | scan_docker | Scan Dockerfiles for root user, secrets in layers, unpinned tags | | scan_iac | Scan Terraform/CloudFormation/K8s for public S3, open SGs, IAM * | | get_security_score | Compute score and grade from a finding list |

VS Code Extension

Install from the marketplace or:

code --install-extension ciphernest-0.8.8.vsix

Findings appear inline as diagnostics. Open the CipherNest sidebar for the tree view, score, and attack graph.


Architecture

flowchart LR

    A[VS Code / CLI / GitHub / MCP] --> B[CipherNest Core Engine]

    B --> C[Code Security]
    B --> D[LLM Security]
    B --> E[Secrets Detection]
    B --> F[Dependency Security]
    B --> G[MCP Security]
    B --> H[AI Agent Security]
    B --> I[CI/CD Security]
    B --> J[Container & IaC Security]

    C --> K[Analysis & Correlation]
    D --> K
    E --> K
    F --> K
    G --> K
    H --> K
    I --> K
    J --> K

    K --> L[Risk Scoring]
    K --> M[Policy Engine]
    K --> N[Attack Graphs]

    L --> O[Findings Store]
    M --> O
    N --> O

    O --> P[CLI Reports]
    O --> Q[SARIF / JSON]
    O --> R[PR Comments]
    O --> S[SBOM Reports]

    T[LLMs, NVD, OSV, GitHub, Registries] <--> B

    U[AI Agents / Cursor / Claude]
        <--> V[CipherNest MCP Gateway]
        <--> W[MCP Servers]

Every product surface uses the same scanner, rules, scoring, policy, and attack-graph engine.

packages/
├── core/             @ciphernest/core — single source of truth for all scan logic
│   └── src/
│       ├── engine.ts        SecurityEngine orchestrator (9 scanners)
│       ├── types.ts         Finding, SecurityScore, Severity, ScanInput
│       ├── rules/           codeRules, llmRules, secretRules, agentRules
│       ├── scanners/        All scanners (vscode-agnostic)
│       ├── scoring/         scoreEngine — A–F grade
│       ├── policy/          policyEngine — .ciphernest.json
│       ├── attackGraph/     graphBuilder — Mermaid diagrams
│       └── npmShield/       supply chain scanner
│
├── cli/              ciphernest — npm binary + fixture benchmark runner
├── github-action/    ciphernest/scan-action — SARIF + PR comments
├── mcp-server/       @ciphernest/mcp-server — 10 MCP tools for AI agents
└── mcp-gateway/      @ciphernest/mcp-gateway — runtime proxy, block rules, audit log

src/                  VS Code extension — thin adapters over @ciphernest/core

Policy as code

Configure with .ciphernest.json at the project root:

{
  "version": 1,
  "severityThreshold": "low",
  "enabledScanners": [
    "code",
    "llm",
    "secret",
    "dependency",
    "mcp",
    "agent",
    "docker",
    "iac",
    "cicd",
  ],
  "disabledRules": ["CODE014"],
  "severityOverrides": { "SEC010": "high" },
  "excludePatterns": ["**/node_modules/**", "**/*.test.ts"],
  "ciFailThreshold": "high",
  "ciMaxFindings": 0,
  "complianceFrameworks": ["gdpr", "hipaa", "pci", "dpdp"],
  "approvedLLMProviders": ["openai", "anthropic"],
  "autoScanOnOpen": true,
}

Generate a scaffold: CipherNest: Create .ciphernest.json Policy


Scoring

| Grade | Score | Meaning | | ----- | ------ | ---------------------- | | A | 90–100 | Production-ready | | B | 75–89 | Minor issues | | C | 60–74 | Review before shipping | | D | 40–59 | Significant risk | | F | 0–39 | Block deployment |

Per-finding deductions: Critical = 25 pts · High = 10 pts · Medium = 4 pts · Low = 1 pt

Per-scanner caps (max total deduction per bucket): Code/Secrets = 30 · LLM/Docker/IaC = 25 · Dependency/Agent/CI-CD = 20 · MCP = 15

The overall score is the average across active scanners only — disabled scanners are excluded from the average, so running fewer scanners does not inflate your grade.


Benchmark results

Run the AI application security benchmark against your project:

ciphernest benchmark .

Run the detection benchmark against known-bad fixture code:

ciphernest benchmark --fixtures owasp-llm10      # OWASP LLM Top 10 (10 cases)
ciphernest benchmark --fixtures owasp-top10       # OWASP Web Top 10 (7 cases)
ciphernest benchmark --fixtures infrastructure    # Docker / IaC / CI-CD (10 cases)

Each fixture run writes the vulnerable code to a temp file, runs the actual scanner, and checks whether the expected rule ID fires — no hardcoded scores.

Example project benchmark output:

Prompt Injection Score      91  ████████████████████░  A
Agent Security Score        88  ████████████████████░  B+
MCP Security Score          93  █████████████████████  A
Supply Chain Score          84  ████████████████████░  B
Infrastructure Score        81  ███████████████████░░  B-

Overall Security Score      87  Grade: B+

Rule reference

| ID | Name | Severity | | ----------- | -------------------------------------------------- | ----------- | | CODE001 | eval() — arbitrary code execution | Critical | | CODE002 | exec() with dynamic input — OS command injection | Critical | | CODE003 | String concatenation in SQL — SQL injection | Critical | | CODE004 | innerHTML with dynamic content — XSS | High | | CODE005 | Unsafe object merge — prototype pollution | High | | CODE006 | Unvalidated file path — path traversal | High | | CODE007 | Math.random() — not cryptographically secure | Medium | | CODE008 | Hardcoded password | Critical | | CODE009 | TLS verification disabled | High | | CODE010 | MD5/SHA1 — broken hash algorithm | Medium | | CODE011 | Unsafe XML parsing — XXE | High | | CODE015 | Wildcard CORS | High | | CODE016–020 | SSRF, CSRF, race condition, ReDoS, open redirect | Medium–High |

| ID | Name | OWASP LLM | Severity | | ------ | ------------------------------------------------- | --------- | -------- | | LLM001 | Prompt injection — unsanitized user input | LLM01 | Critical | | LLM002 | Insecure output handling — raw response to client | LLM02 | High | | LLM004 | Raw LLM output rendered as HTML | LLM02 | High | | LLM005 | PII/key in prompt | LLM06 | High | | LLM007 | Agent with unrestricted file write | LLM08 | Critical | | LLM008 | Agent with database write/delete | LLM08 | Critical | | LLM011 | LangChain agent without tool restrictions | LLM08 | High | | LLM014 | AutoGen agent missing human approval | LLM08 | High | | LLM018 | Shadow AI — unapproved LLM provider | LLM09 | Medium |

OpenAI · Anthropic · AWS · Google · GitHub · Stripe · Slack · Twilio · SendGrid · Mailgun · Cloudflare · HuggingFace · Pinecone · Weaviate · MongoDB Atlas · Generic high-entropy secret

| ID | Name | Severity | | ------- | ------------------------------------------- | -------- | | CICD001 | pull_request_target with code checkout | Critical | | CICD002 | Unpinned action (@main, @latest) | Critical | | CICD003 | Script injection via github.event context | High | | CICD004 | Secret exposed in run: command | High | | CICD005 | permissions: write-all | Critical |

Docker: FROM :latest · Running as root · Secret in ENV/ARG · --privileged flag · Missing HEALTHCHECK

IaC: S3 public ACL · Security group 0.0.0.0/0 · RDS publicly accessible · No encryption at rest · IAM * wildcard · K8s privileged pod


Platform roadmap and extensions

GitHub App

Not an Action — an App. Inline PR comments per finding, like CodeQL and SonarQube:

LLM001 — Prompt Injection Risk

User input passed to LLM without sanitization on line 42.
Attacker can override system instructions and gain tool access.

Suggested fix:
  sanitizeInput(userMessage) before passing to chain.invoke()

Runtime MCP Gateway

@ciphernest/mcp-gateway is a security-aware proxy that sits between an AI agent and any MCP server. It intercepts every tool call at runtime, applies configurable block rules, and logs all activity — without changing a line of agent code.

Agent
  ↓
CipherNest Gateway  ← intercepts every tool call
  ↓  allow / block / flag
MCP Server(s)

Add it to your Claude Desktop (or any MCP host) config:

{
  "mcpServers": {
    "ciphernest-gateway": {
      "command": "npx",
      "args": ["-y", "@ciphernest/mcp-gateway"],
      "env": {
        "CIPHERNEST_GATEWAY_SERVERS": "{\"filesystem\":{\"command\":\"npx\",\"args\":[\"-y\",\"@modelcontextprotocol/server-filesystem\",\"/workspace\"]}}"
      }
    }
  }
}

Default block rules (all configurable via CIPHERNEST_GATEWAY_POLICY env var):

| Rule | Blocks | | ----------------------- | ------------------------------------------------------------- | | blockDestructive | delete_file, bash, rm, shell, exec, drop_table, … | | blockDataExfiltration | URLs matching webhook.site, ngrok.io, pipedream.net, … | | blockSqlInjection | SQL injection patterns in tool arguments | | blockCommandInjection | OS command injection in tool arguments | | Prompt injection (warn) | Flags but does not block — returns riskLevel: "high" | | Path traversal | /../ patterns in path arguments |

Gateway built-in tools exposed to the agent:

| Tool | Description | | -------------------- | -------------------------------------------- | | gateway_inspect | Test any tool call against the active policy | | gateway_audit_log | Read the last N audit log entries | | gateway_list_rules | List all active block rules and their status |

Audit log is written to ~/.ciphernest/gateway-audit.jsonl.

Security Reasoning Engine

Move from rules → findings to rules → findings → explanation:

Current:  LLM001 detected at chat.ts:42

Future:   Prompt injection at chat.ts:42.
          Attacker controlling user_input can override the system prompt,
          gain access to the file_write tool registered at agents.ts:17,
          and exfiltrate /etc/passwd via the HTTP callback in tools.ts:91.
          Business impact: complete agent compromise, data breach.

Marketplace rules (packages/rules)

Rules extracted into a standalone package so the community can contribute and enterprises can buy packs:

npm install @ciphernest/rules-enterprise
npm install @ciphernest/rules-hipaa
npm install @ciphernest/rules-pci

Security


Triage and suppression

Suppress a false positive with a tracked reason:

CipherNest: Suppress Finding

All suppressions are stored in .ciphernest-suppressions.json and visible in the triage report. The audit log captures every suppression with timestamp and author.


License

MIT © Vairamuthu