npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

cszone38

v0.1.1

Published

Static analysis CLI for C# codebases. Detects AI-generated code, hardcoded secrets, and quality issues.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

semanticrigsemanticrig

Keywords

csharpdotnetstatic-analysissecuritysecret-scanningcode-qualitysastclirazor

Readme

Three-axis static analysis for C# codebases.
Below IC 0.038, nothing is innocent. Not even C#.

What It Is

cszone38 scans .cs, .csx, and .razor files and scores every file and the whole project across three independent axes:

| Axis | Name | What it catches | |------|------|-----------------| | A | Slop | Structural over-engineering, AI-style verbosity, low-signal patterns | | B | Security | Hardcoded credentials, suspicious strings, exposure risk | | C | Quality | Debug residue, weak error handling, maintenance debt |

Point it at a project. It tells you what deserves attention.

Why 0.038

The name comes from the Index of Coincidence — a classic cryptanalysis measurement.

Human language is uneven. Letters cluster. Patterns repeat. Natural text drifts toward an IC around 0.065. Random-looking credential material drifts toward 0.038.

That lower number is the boundary this tool guards. When a string crosses into that zone, it stops behaving like ordinary source text and starts behaving like something mathematically foreign.

The Math

cszone38 is a user tool, but its story is math, not magic.

Signal 1 — Shannon Entropy

H(X) = -∑ p(xᵢ) · log₂ p(xᵢ)

Measures how evenly characters are distributed. Low entropy means predictable text. High entropy means the string looks random. Real credentials push upward here.

Signal 2 — Index of Coincidence

IC = ∑ nᵢ(nᵢ - 1) / N(N - 1)

Measures repetition patterns. Human language repeats familiar symbols. Secrets flatten toward uniformity. The closer something gets to 0.038, the less it behaves like ordinary code.

Signal 3 — Normalized Compression Distance

NCD(x, y) = ( C(xy) - min(C(x), C(y)) ) / max(C(x), C(y))

Measures how structurally strange a value is compared with the code around it. A normal config label often resembles its file. A leaked credential usually does not.

cszone38 does not rely on one fragile clue. Three independent mathematical signals triangulate the truth.

Quick Start

npx cszone38 .
npx cszone38 ./src --verbose
npx cszone38 ./Auth.cs --no-slop --json
npm install -g cszone38
cszone38 .

Thresholds and Exit Codes

Exit code 0 means every axis passed. Exit code 1 means at least one axis crossed its threshold.

| Axis | Default threshold | |------|------------------| | A — Slop | ≤ 50 | | B — Security | ≤ 25 | | C — Quality | ≤ 100 |

Command Reference

Pick the right command

| Goal | Command | |------|---------| | First pass on any repo | npx cszone38 . | | Understand why files were flagged | npx cszone38 . --verbose | | Security only, pre-release | npx cszone38 . --axis=B --verbose | | Scan a single file | npx cszone38 ./Auth.cs | | Review only changed files | npx cszone38 . --since=origin/main --json | | Investigate one flagged line | npx cszone38 ./Auth.cs --explain=84 | | Machine-readable output for CI | npx cszone38 . --json | | Skip slop for speed | npx cszone38 ./Auth.cs --no-slop | | Clean obvious noise then rescan | npx cszone38 . --fix --verbose | | Check deep mode readiness | cszone38 doctor | | Enable optional deep analysis | cszone38 setup deep then cszone38 . --deep | | Verify live credentials you own | cszone38 . --verify --allow-network |

Flags

Everyday

-v, --verbose — Shows detailed output for flagged files. Use it when the default summary tells you a file was flagged but not enough about why.

-a, --all — Shows every file, not only the flagged ones. Use it when you want the complete scan ledger.

-f, --file=NAME — Filters output to one file name. Useful in large repos.

Focus and Filtering

-A, --axis=A,B,C — Limits the scan to selected axes.

npx cszone38 . --axis=B
npx cszone38 . --axis=A,C

-s, --show=SECTION — Shows one output section: hits, secrets, review, exposure, or breakdown.

npx cszone38 . --axis=B --show=secrets

-S, --since=REF — Scans only files changed since a git ref. Best for pull-request workflows.

npx cszone38 . --since=origin/main
npx cszone38 . --since=HEAD~1

Output

-j, --json — Machine-readable JSON. Use for CI, scripting, or custom dashboards.

-o, --open — Opens the interactive hit navigator. Lets you step through findings instead of scrolling a wall of text.

--explain=LINE — Explains the nearest signal around a specific line. Single-file mode only.

npx cszone38 ./Auth.cs --explain=84

-t, --threshold=A:N — Overrides an axis threshold.

npx cszone38 . --threshold=B:10
npx cszone38 . --threshold=A:40,C:30

Cleanup and Speed

--fix — Applies small local cleanup fixes before the scan. Useful before a commit.

--no-slop — Skips Axis A for faster Axis B + C feedback.

Optional Deep Analysis

doctor — Shows whether the normal scan is ready and whether optional deep mode is available.

setup deep — Prepares optional local deep-analysis mode.

Current public deep-bundle release support is Linux x64 only. macOS and Windows bundles are planned later.

To enable deep mode on Linux x64:

  1. Download cszone38-deep-linux-x64.tar.gz from the matching GitHub Release.
  2. Extract the archive.
  3. Run cszone38 setup deep --bundle=/path/to/cszone38-deep-linux-x64.
  4. Run cszone38 doctor and then cszone38 . --deep.

Windows via WSL2 — If you are on Windows, you can still use --deep through WSL2 by running cszone38 inside a Linux distro such as Ubuntu. This is Linux support inside WSL, not native Windows deep support.

In an elevated PowerShell window:

wsl --install -d Ubuntu

After restart, open Ubuntu and run:

npm install -g cszone38
cszone38 doctor
cszone38 setup deep --bundle=/path/to/cszone38-deep-linux-x64
cszone38 . --deep

Run these commands inside WSL, not in native PowerShell or cmd.exe. For best performance, keep the repository inside the WSL filesystem rather than under /mnt/c/....

--deep — Adds an optional deeper local pass. Requires setup deep first. Falls back to normal results if unavailable.

--solution=PATH — Tells deep mode which .sln, .slnx, or .csproj to use when a repo has multiple options.

Optional Live Verification

Warning: --verify --allow-network may contact real providers. Use only on credentials you own.

cszone38 . --verify --allow-network

Common Workflows

First pass, safest command:

npx cszone38 .

Security focus before a release:

npx cszone38 . --axis=B --verbose

Pull-request / branch review:

npx cszone38 . --since=origin/main --json

Quick single-file check while coding:

npx cszone38 ./AuthService.cs --no-slop

Clean noise then rescan:

npx cszone38 . --fix --verbose

Enable the optional deep pass:

cszone38 setup deep --bundle=/path/to/cszone38-deep-linux-x64
cszone38 doctor
cszone38 . --deep

CI

name: cszone38

on: [pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - run: npx cszone38 . --since=origin/main --json

Library Usage

const { run, renderJson, exitCode } = require('cszone38');

const result   = run('./src');
const json     = renderJson(result.report);
const code     = exitCode(result.report.projectSummary.axes);

Privacy and Network Behavior

The default scan path is entirely local. No telemetry. No network calls.

--deep is optional and still local. --verify is the only mode that may use the network, and only when you explicitly add --allow-network.

The safe default is the normal math-based scan.

Requirements

  • Node.js 18 or later
  • macOS, Linux, or Windows
  • .cs, .csx, or .razor source files

License

Business Source License 1.1 — see LICENSE.