npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

codeproof

v1.3.4

Published

CodeProof CLI

Downloads

50

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

nithin0620nithin0620

Keywords

Readme

CodeProof CLI

CodeProof is a security-focused CLI that scans your codebase, blocks risky commits, and reports findings to a server-backed dashboard.

Features

  • Run security scans on staged or full files.
  • Enforce commit safety with configurable rules.
  • Generate local reports and optionally sync them to the server.
  • Usage tracking with monthly limits (free tier default 50 runs).

Installation

Use npx (recommended):

npx codeproof init

Or install globally:

npm install -g codeproof
codeproof init

Quick Start

  1. Initialize in a Git repo:
codeproof init
  1. Run a scan:
codeproof run
  1. View reports in the dashboard (requires server):
codeproof report@dashboard

Commands

  • init: Initialize CodeProof in the current Git repo.
  • run: Run a security scan based on your config.
  • report@dashboard: Send latest report and show dashboard link.
  • move-secret: Move high-risk secrets to .env safely.
  • ignore: Temporarily disable commit enforcement.
  • apply: Re-enable commit enforcement.
  • whoami: Show the local clientId.
  • help: Show CLI help.

Configuration

CodeProof uses codeproof.config.json at the repo root.

Example:

{
	"projectId": "<uuid>",
	"projectType": "Node",
	"scanMode": "staged",
	"enforcement": "enabled",
	"aiPromptScanner": {
		"enabled": true,
		"useGemini": true
	},
	"features": {
		"reporting": true,
		"integration": true,
		"aiEscalation": false,
		"secretRemediation": false
	},
	"integration": {
		"enabled": true,
		"endpointUrl": "http://127.0.0.1:4000/api/reports"
	}
}

Usage Limits (Server-Enforced)

CodeProof enforces monthly run limits on the server.

  • Default plan: free
  • Default monthly limit: 50
  • The CLI checks usage before each run
  • If the server is unreachable, the CLI fails closed and stops the run

API Base Override

By default the CLI uses http://127.0.0.1:4000/api for usage checks. Override with:

set CODEPROOF_API_BASE=http://your-server:4000/api

move-secret Command

Safely moves high-confidence secrets from your source code to environment variables with automatic backups and AST-based replacement.

Features

  • Smart Detection: Scans your project using regex + AI detection engine
  • Deterministic Naming: Generates meaningful variable names (e.g., OPENAI_API_KEY, AWS_ACCESS_KEY)
  • Framework Awareness: Detects Vite, Next.js, Create React App and uses appropriate env access patterns
  • AST-Based Replacement: Uses proper code parsing (not string replacement) to preserve formatting
  • Safety First: Creates backups before any modifications
  • Duplicate Handling: Groups identical secrets across files into single env variables
  • JSON Support: Handles secrets in JSON files with template interpolation

Usage

Preview changes without modifying files:

codeproof move-secret --dry-run

Apply changes with confirmation:

codeproof move-secret

Apply changes without confirmation (useful for CI/CD):

codeproof move-secret --force

Show detailed output:

codeproof move-secret --verbose

What It Does

  1. Scans your project for high-confidence secrets
  2. Groups duplicate secrets by value
  3. Generates deterministic environment variable names
  4. Creates a timestamped backup in .codeproof-backup/
  5. Replaces secrets with appropriate env references:
    • Vite projects: import.meta.env.VITE_<NAME>
    • Next.js (frontend): process.env.NEXT_PUBLIC_<NAME>
    • React: process.env.REACT_APP_<NAME>
    • Default: process.env.<NAME>
  6. Updates your .env file with the secret values
  7. Ensures .env and .env.local are in .gitignore

Example

Before:

const apiKey = "sk-1234567890abcdef";
const dbPassword = "my-secret-password";

After running codeproof move-secret:

const apiKey = process.env.OPENAI_API_KEY;
const dbPassword = process.env.DB_PASSWORD;

And in .env:

OPENAI_API_KEY=sk-1234567890abcdef
DB_PASSWORD=my-secret-password

Safety Features

  • Backups: All modified files are backed up before changes
  • Confirmation: Requires user confirmation unless --force is used
  • Dry Run: Test what would happen without making changes
  • Format Preservation: AST-based replacement maintains code style
  • No Overwrites: Won't overwrite existing environment variables
  • Fail-Safe: Aborts on errors rather than corrupting files

Server Setup (Required for Dashboard)

This CLI expects the CodeProof server to be running for:

  • Usage enforcement
  • Report ingestion
  • Dashboard views

If you only want local scanning, disable integration in your config.

Dashboard

The Next.js dashboard displays:

  • Project and report metrics
  • Analytics charts
  • Usage and limit graphs

License

Proprietary. All rights reserved.