deltarq-scan
v0.1.0
Published
Local-first CLI security audit tool for startups — scan your infrastructure for SOC 2 readiness gaps
Downloads
162
Maintainers
Readme
deltarq-scan
Scan your startup's codebase and infrastructure for security gaps in 30 seconds.
npx deltarq-scandeltarq-scan is a local-first, zero-install, read-only CLI security audit tool. It scans your repository (configurations, environment variables, IAM policies, git history) for critical security gaps that block enterprise deals, fail SOC 2 audits, or expose you to immediate breach.
What it checks
| Rule | Severity | What it catches |
|------|----------|----------------|
| IAM-001 | 🔴 CRITICAL | Wildcard IAM policies (Action: *, Resource: *) |
| DB-001 | 🔴 CRITICAL | Postgres with no SSL on public endpoints |
| INFRA-001 | 🔴 CRITICAL | Docker containers running as root |
| INFRA-004 | 🔴 CRITICAL | Insecure CI/CD workflow (Dangerous pull_request_target in GitHub Actions) |
| IAM-002 | 🟠 HIGH | Hardcoded Cloud/API Secrets (AWS, Stripe, Slack, GitHub keys in .env) |
| INFRA-002 | 🟠 HIGH | Database ports exposed to all interfaces |
| INFRA-003 | 🟠 HIGH | Missing package lockfile (Deterministic builds/SOC 2 control) |
| LOG-001 | 🟠 HIGH | No structured audit trail / logging |
| IAM-003 | 🟡 MEDIUM | No MFA on AWS root account |
| DB-002 | 🟡 MEDIUM | No connection pool limits |
| GIT-001 | 🟡 MEDIUM | Secrets leaked in git history |
How it works
- Runs entirely on your machine — scans
.env,Dockerfile,docker-compose.yml, IAM policies - Generates a security score — 0-100 with grade (A-F) and enterprise readiness flag
- Shows a rich terminal report — color-coded findings with plain English explanations
- Optionally uploads anonymous metadata — only boolean pass/fail data, no secrets ever leave your machine
────────────────────────────────────────────────────────
DELTARQ Security Scanner v0.1.0
Scanning: /Users/you/my-startup
────────────────────────────────────────────────────────
✓ Detecting project type... FastAPI + PostgreSQL
⚠ Scanning configuration files... 3 issues found
✓ Scanning IAM configuration... 1 issue found
✓ Scanning database config... No issues
✓ Scanning git history... Clean
────────────────────────────────────────────────────────
YOUR SECURITY SCORE: 34/100 [F — Critical Exposure]
────────────────────────────────────────────────────────
🔴 CRITICAL IAM-001 Wildcard IAM policy detected
→ Any compromised service = full account takeover
🔴 CRITICAL DB-001 Postgres unencrypted on public host
→ User data exposed to interception in transit
🟠 HIGH LOG-001 No audit trail detected
→ You cannot detect or investigate a breach
────────────────────────────────────────────────────────
ENTERPRISE READINESS: ✗ Not Ready
SOC 2 Gap Count: 3 controls failing
────────────────────────────────────────────────────────Usage
# Scan current directory
npx deltarq-scan
# Scan a specific project
npx deltarq-scan ./my-project
# Scan without upload prompt
npx deltarq-scan --no-upload
# Output JSON (for CI/CD pipelines)
npx deltarq-scan --json
# Verbose mode (see upload payload preview)
npx deltarq-scan --verboseWhat data is uploaded?
Only if you consent. And only this:
{
"scan_id": "uuid",
"score": 34,
"grade": "F",
"enterprise_ready": false,
"findings": [
{ "rule": "IAM-001", "severity": "CRITICAL", "passed": false }
]
}What is NEVER uploaded:
- ❌ No
.envvalues - ❌ No AWS keys or secrets
- ❌ No file contents
- ❌ No IP addresses
- ❌ No company name (unless you opt in on dashboard)
Privacy & Security
- Open source — read every line of code before running
- Read-only — never modifies your files
- Local-first — all scanning happens on your machine
- Consent-gated — nothing leaves without your explicit
Y - MIT Licensed — use it however you want
Development & Local Testing
1. Setup
# Clone the repository
git clone https://github.com/deltarq/deltarq-scan.git
cd deltarq-scan
# Install dependencies
npm install2. Run Scanner Locally
# Scan the current directory
node bin/deltarq-scan.js
# Scan mock test fixtures (no upload prompt)
node bin/deltarq-scan.js ./tests/fixtures --no-upload3. Test Global CLI Command Locally (npm link)
Before publishing to the npm registry, you can test the global npx deltarq-scan command in any directory on your computer by linking it:
# 1. In the deltarq-scan project root, run:
npm link
# 2. Go to any other directory/project folder and run:
npx deltarq-scan
# or simply:
deltarq-scan4. Test Full Upload Pipeline Locally
You can spin up a local Express server and test uploader integration directly.
Terminal 1: Start Dashboard API Server
npm run serverTerminal 2: Run Scan & Upload to Local Server
- Windows (PowerShell):
$env:DELTARQ_API_URL="http://localhost:3000/v1/scans"; $env:DELTARQ_DASHBOARD_URL="http://localhost:3000"; node bin/deltarq-scan.js ./tests/fixtures - Mac/Linux (Bash):
DELTARQ_API_URL="http://localhost:3000/v1/scans" DELTARQ_DASHBOARD_URL="http://localhost:3000" node bin/deltarq-scan.js ./tests/fixtures
5. Run Automated Unit Tests
# Run Vitest test runner
npm testProduction Deployment
1. Database Setup (Supabase)
Create a project on Supabase and copy the SQL code inside supabase_schema.sql into the Supabase SQL Editor, then click Run. This instantiates the scans and leads tables with pre-configured Row-Level Security (RLS) rules.
2. Host Backend & Dashboard (Vercel)
Deploy the unified Express server and static dashboard using the Vercel CLI from the root folder:
vercel --prodBe sure to set the following Environment Variables on your Vercel Dashboard:
DATA_LAYER_ENDPOINT= your-supabase-project-urlDATA_LAYER_ANON_KEY= your-supabase-public-anon-key (orDATA_LAYER_SERVICE_ROLE_KEYfor higher privilege)DELTARQ_DASHBOARD_URL= your-deployed-vercel-domain (e.g.https://deltarq-scan.vercel.app)
License
MIT — DELTARQ
