Doorman

Ship your code with confidence.

10 security checks. Zero false positives. 3 seconds. Free.

Quick Start

Tell your AI:

run npx getdoorman

Or run it directly:

npx getdoorman

What It Checks

✅ Leaked API Keys (35+ providers)
✅ .env File Safe
❌ SQL Injection — src/api/search.ts:42
✅ No Crashes Waiting
✅ No Hardcoded Secrets
✅ No Code Execution Risk
✅ No Sensitive Data in Logs
✅ No Debug Code
✅ Database Secure
✅ Safe Dependencies

Doorman: 9/10 checks passed. 1 issue found.
→ SQL Injection: Query built with user input in src/api/search.ts:42

Tell your AI: "fix the issues Doorman found"

The 10 Checks

| Check | What it catches | |-------|----------------| | 🔑 Leaked API Keys | Stripe, OpenAI, AWS, Anthropic, GitHub, and 30+ more | | 📄 .env Exposed | .env not in .gitignore | | 💉 SQL Injection | Queries built with user input | | 💥 Production Crashes | API routes without error handling | | 🔒 Hardcoded Secrets | Passwords and tokens in source code | | ⚠️ Code Execution | eval() with dynamic input | | 📋 Sensitive Logs | Passwords or tokens in console.log | | 🐛 Debug Code | console.log left in production | | 🗄️ Database Security | MongoDB without auth, server on 0.0.0.0 | | 📦 Bad Packages | Known compromised npm packages |

How It Works

1. Tell your AI to run it — or run npx getdoorman yourself
2. Doorman scans your code in ~3 seconds
3. Green check = safe. Red X = here's where to look
4. Tell your AI: "fix the issues Doorman found"

After the first run, Doorman checks automatically every time your AI writes code.

Options

npx getdoorman              # check current directory
npx getdoorman ./src        # check specific path
npx getdoorman --json       # output as JSON
npx getdoorman --ci         # exit code 1 if issues found

Privacy

Your code never leaves your machine. Doorman runs 100% locally. No cloud. No accounts. No telemetry.

License

MIT

Links

• Website: doorman.sh
• npm: getdoorman