npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

genaura-guard

v1.0.0

Published

Security scanner for vibe coders. Find vulnerabilities before you push.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

genauragenaura

Keywords

securityscannerowaspsql-injectionxssvibe-codingclaudecursorcopilotai-codingpre-pushgit-hooksgenaura

Readme

The Problem

You're vibe coding with Claude, Cursor, Copilot. AI generates code fast. You ship fast.

But AI doesn't think about security:

// AI happily generates this:
db.query(`SELECT * FROM users WHERE id = ${userId}`);  // SQL injection 💀

const apiKey = "sk_live_abc123...";  // Hardcoded secret 💀

element.innerHTML = userInput;  // XSS vulnerability 💀

exec(`convert ${filename}.png`);  // Command injection 💀

You push to prod. Hackers find it. Data breach. Career ruined.

The Solution

Genaura Guard scans your code before you push. Catches security issues instantly.

npx genaura-guard
🛡️  GENAURA GUARD

Found 4 security issues
──────────────────────────────────────────────
💀 1 critical  ✗ 2 high  ⚠ 1 medium

Findings
──────────────────────────────────────────────

💀 CRITICAL Hardcoded API Key
   src/config.ts:12
   const apiKey = "sk_live_...
   → Move secrets to environment variables

✗ HIGH SQL Injection (String Concatenation)
   src/db/users.ts:42
   db.query(`SELECT * FROM users WHERE id = ${userId}`)
   → Use parameterized queries: db.query("SELECT * FROM users WHERE id = ?", [userId])

✗ HIGH XSS via innerHTML
   src/components/Comment.tsx:28
   element.innerHTML = userContent
   → Use textContent for text, or sanitize HTML with DOMPurify

⚠ MEDIUM Weak Cryptography (MD5)
   src/utils/hash.ts:8
   crypto.createHash("md5")
   → Use SHA-256 or better. For passwords, use bcrypt or argon2

⚠️  Fix Guide
──────────────────────────────────────────────
💀 Hardcoded API Key (1 instance in 1 file)
   Fix: Move secrets to environment variables
✗ SQL Injection (1 instance in 1 file)
   Fix: Use parameterized queries
✗ XSS via innerHTML (1 instance in 1 file)
   Fix: Use textContent or sanitize with DOMPurify
⚠ Weak Cryptography (1 instance in 1 file)
   Fix: Use SHA-256 or better

Quick Start

# Install globally
npm install -g genaura-guard

# Scan your project
genaura-guard

# Get detailed fix instructions per file
genaura-guard fix

# Install git hook + auto-inject rules into your AI configs
genaura-guard init

Or use without installing:

npx genaura-guard

That's it. init installs the pre-push hook and auto-discovers your AI config files (CLAUDE.md, .cursorrules, AGENTS.md, etc.) to inject security rules.

What It Catches

💀 Critical (Stop Everything)

| Issue | Example | |-------|---------| | Hardcoded API Keys | const key = "sk_live_..." | | Hardcoded Passwords | password = "admin123" | | Private Keys in Code | -----BEGIN RSA PRIVATE KEY----- |

✗ High (Fix Before Deploy)

| Issue | Example | |-------|---------| | SQL Injection | db.query(`SELECT * FROM users WHERE id = ${id}`) | | XSS (innerHTML) | element.innerHTML = userInput | | Command Injection | exec(`rm -rf ${userInput}`) | | Path Traversal | fs.readFile(req.params.filename) | | NoSQL Injection | db.find({ user: req.body.user }) | | SSRF | fetch(req.query.url) | | Eval Usage | eval(userCode) | | JWT None Algorithm | algorithms: ["none"] |

⚠ Medium (Should Fix)

| Issue | Example | |-------|---------| | Weak Crypto (MD5/SHA1) | crypto.createHash("md5") | | Insecure Cookies | Missing httpOnly, secure, sameSite | | CORS Wildcard | cors({ origin: "*" }) | | Missing Rate Limit | Login endpoint without rate limiting | | Timing Attacks | if (token === secret) | | Unvalidated Redirects | res.redirect(req.query.url) |

○ Low (Best Practice)

| Issue | Example | |-------|---------| | Debug Mode On | DEBUG=true in production | | Security TODOs | // TODO: fix auth | | HTTP URLs | fetch("http://api.example.com") | | Weak Randomness | Math.random() for tokens | | Error Disclosure | res.send(err.stack) |

Commands

# Default scan (all severities)
genaura-guard                     # Scan current directory
genaura-guard scan ./src          # Scan specific path
genaura-guard scan --json         # Output as JSON

# Quick scan (critical + high only)
genaura-guard quick               # Fast pre-push check

# Full scan (explicit all severities)
genaura-guard full                # Same as default, explicit alias

# Fix report (detailed per-file fix instructions)
genaura-guard fix                 # Show what to fix and how
genaura-guard fix ./src           # Fix report for specific path
genaura-guard fix --severity critical,high

# Filter by severity
genaura-guard scan --severity critical,high
genaura-guard scan --severity medium,low

# Exclude patterns
genaura-guard scan --exclude "test/**,*.spec.ts"

# Setup
genaura-guard init                # Install pre-push hook + inject AI configs
genaura-guard init --pre-commit   # Also install pre-commit hook
genaura-guard uninstall           # Remove hooks

# Sync to AI tools (global configs)
genaura-guard sync                # Add rules to ~/.claude, ~/.cursor, etc.
genaura-guard sync claude cursor  # Sync to specific tools

# Info
genaura-guard status              # Show hooks and sync status
genaura-guard rules               # List all security rules

Fix Guide

Every scan ends with a Fix Guide — a deduplicated summary of all issues grouped by rule, with fix instructions and reference links.

For detailed per-file instructions, run:

genaura-guard fix
🛡️  GENAURA GUARD

Found 3 security issues
──────────────────────────────────────────────

Fix Report
──────────────────────────────────────────────

📄 src/config.ts (1 issue)
   L12 💀 Hardcoded API Key
      - const apiKey = "sk_live_abc123..."
      + Move secrets to environment variables

📄 src/db/users.ts (2 issues)
   L42 ✗ SQL Injection (String Concatenation)
      - db.query(`SELECT * FROM users WHERE id = ${userId}`)
      + Use parameterized queries
   L78 ⚠ Weak Cryptography (MD5)
      - crypto.createHash("md5")
      + Use SHA-256 or better

⚠️  Fix Guide
──────────────────────────────────────────────
💀 Hardcoded API Key (1 instance in 1 file)
   Fix: Move secrets to environment variables
✗ SQL Injection (1 instance in 1 file)
   Fix: Use parameterized queries
⚠ Weak Cryptography (1 instance in 1 file)
   Fix: Use SHA-256 or better

Git Hooks

Pre-Push Hook (Recommended)

Scans before every push. Blocks if critical issues found.

genaura-guard init

When you git push:

─────────────────────────────────────────────────────
🛡️  Genaura Guard found security issues:

   💀 1 critical issue
   ✗ 2 high severity issues

   💀 config.ts:12 Hardcoded API Key
      → Move secrets to environment variables
   ✗ users.ts:42 SQL Injection
      → Use parameterized queries

 Run genaura-guard scan for full details.
 Run genaura-guard fix for fix guidance.
─────────────────────────────────────────────────────
  • Critical issues → Push blocked (exit code 2)
  • High issues → Warning, ask to continue (exit code 1)
  • Medium/Low → Passes (exit code 0)

Pre-Commit Hook (Optional)

Quick scan of staged files only.

genaura-guard init --pre-commit

Manual Pre-Push Check

Don't want hooks? Run manually before pushing:

genaura-guard quick && git push

AI Tool Integration

Auto-Injection via init

When you run genaura-guard init, it automatically discovers and injects security rules into your project-level AI config files:

genaura-guard init
🛡️  GENAURA GUARD

Installing Git Hooks
─────────────────────────────────────────────
✓ Installed pre-push hook

AI Config Rules
─────────────────────────────────────────────
✓ Updated CLAUDE.md
✓ Updated .cursorrules
✓ Updated AGENTS.md
○ .github/copilot-instructions.md already configured

It discovers any AI config files in your project root:

| Auto-Detected | Examples | |---------------|----------| | Markdown configs | CLAUDE.md, AGENTS.md, COPILOT.md, CLINE.md | | Dotfile rules | .cursorrules, .clinerules, .boltrules, .replitrules | | Tool directories | .cursor/rules/, .github/copilot-instructions.md, .v0/instructions.md | | Any UPPERCASE.md | Scans root for all uppercase markdown files | | Any .toolrules | Scans root for all dotfile rule patterns |

Injection is idempotent — running init again won't duplicate the section.

Global Sync

For global AI tool configs (not project-level), use sync:

genaura-guard sync

Writes SECURITY.md to:

| Tool | Path | |------|------| | Claude | ~/.claude/SECURITY.md | | Cursor | ~/.cursor/rules/security.md | | Codex | ~/.codex/SECURITY.md | | Copilot | ~/.copilot/security.md | | Gemini | ~/.gemini/SECURITY.md | | Windsurf | ~/.windsurf/security.md | | OpenCode | ~/.opencode/security.md |

Now when you ask AI to write code, it follows security best practices.

CI/CD Integration

GitHub Actions

name: Security Scan
on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Run Genaura Guard
        run: npx genaura-guard --json > security-report.json
      - name: Check for critical issues
        run: |
          CRITICAL=$(cat security-report.json | jq '.summary.critical')
          if [ "$CRITICAL" -gt 0 ]; then
            echo "Critical security issues found!"
            exit 1
          fi

GitLab CI

security_scan:
  script:
    - npx genaura-guard
  allow_failure: false

Configuration

Create .guardrc.json in your project root:

{
  "exclude": [
    "test/**",
    "**/*.test.ts",
    "scripts/**"
  ],
  "severityThreshold": "high",
  "hooks": {
    "blockOnCritical": true,
    "blockOnHigh": false
  }
}

Exit Codes

| Code | Meaning | |------|---------| | 0 | No issues found (or only low) | | 1 | High/medium issues found | | 2 | Critical issues found |

Why This Exists

I was vibe coding. Shipped fast. Felt good.

Then I found SQL injection in my production code. Hardcoded API keys. innerHTML with user input everywhere.

AI generates code fast. But it doesn't think about security.

Genaura Guard catches what AI misses. Run it before you push.

Links

License

MIT © Genaura