npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

probus

v0.1.7

Published

Agentic security scanner for code repos — analyst + primary + secondary agent pipeline over OpenRouter / OpenAI / Anthropic models, with a live Ink terminal UI.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

etairletairl

Keywords

securitypentestsastvulnerability-scannerllmagentopenrouterclaudecliink

Readme

probus

Open-source AI vulnerability scanner powered by open models.

License Node CI

Probus scanning a repo

Probus started as an internal supply chain security scanning tool that proved itself extremely efficient by finding vulnerabilities in top open source packages (e.g. n8n, AI sdk, langraphjs and more). It is now open-source to help developers better secure their codebase & supply chain. Probus' edge lies in its ability to scale its scanning capabilities with open models (by using OpenRouter).

What it does

Probus harnesses 3 agents that:

  • [Analyst] Analyze the codebase and pick key files for deep scanning (e.g. entry points, third-party surface, dangerous sinks).
  • [Researcher] Scan each file, dig through its chains of calls, and write raw findings (potential vulnerabilities).
  • [QA] Independently verify each finding, make sure it has a real attack vector, and write a report.

Quick start

npm install -g probus
probus scan ./my-app

Model providers

Probus runs most (cost) effectively with open models using OpenRouter. It is still possible however to use other providers, such as OpenAI or Anthropic, albeit with higher costs.

Usage

probus scan <repo-path> [--effort low|medium|high] [--primaryModel slug] [--secondaryModel slug] [--provider openai|openrouter|anthropic]
probus view <repo-path>

Commands

| Command | What it does | | ------- | ------------------------------------------------------------------ | | scan | Full pipeline: analyst → research → qa. | | view | Skip straight to the report browser for a previously-scanned repo. |

--effort

Controls how many files the analyst targets:

| Effort | Files (approx) | | --------------- | -------------- | | low (default) | 50 | | medium | 100 | | high | 500 |

--primaryModel / --secondaryModel

Pass models as <provider>/<model> slugs via --primaryModel and --secondaryModel:

probus scan ./app --effort medium \
  --primaryModel anthropic/claude-sonnet-4.6 \
  --secondaryModel anthropic/claude-opus-4.7

Defaults are picked from whichever *_API_KEY env var is set (precedence: OPENROUTER_API_KEYOPENAI_API_KEYANTHROPIC_API_KEY); use --provider to override when multiple keys are present.

| Provider | Primary default | Secondary default | | ------------ | ------------------------------ | ------------------------------------- | | openrouter | openrouter/qwen/qwen3.6-plus | openrouter/deepseek/deepseek-v4-pro | | openai | openai/gpt-5.4-mini | openai/gpt-5.4 | | anthropic | anthropic/claude-sonnet-4-6 | anthropic/claude-opus-4-7 |

Cost

Probus splits work between two models so you only pay premium rates where it matters:

  • Primary (~90% of tokens) — runs on every file. Pick something cheap and fast: qwen3.6, gpt-5.4-mini, sonnet-4.6.
  • Secondary (~10% of tokens) — verifies findings. Pick something smarter: deepseek-v4-pro, gpt-5.4, opus-4.7.

Each file consumes roughly 1M input tokens. Approximate per-file cost by provider:

| Provider | Cost / file | vs. open models | | -------------------------- | ----------- | --------------- | | openrouter (open models) | ~$0.50 | 1× (baseline) | | openai | ~$1.25 | ~2.5× | | anthropic | ~$5.00 | ~10× |

Contributing

PRs welcome. See CONTRIBUTING.md for dev setup, scripts, and conventions.

Development

Local dev

git clone https://github.com/ItayRosen/Probus
cd probus
nvm use && npm install
export OPENROUTER_API_KEY=sk-or-v1-...
npm run dev -- scan ../some-repo

Architecture

┌────────────┐   files[]   ┌──────────────┐  findings[]  ┌───────────┐
│  Analyst   │────────────▶│   Primary    │─────────────▶│ Secondary │
│  (1 call)  │             │  (per file)  │              │ (per file)│
└────────────┘             └──────────────┘              └─────┬─────┘
                                                               │
                                                               ▼
                                                       reports/*.md

All three run as isolated query() sessions through the Claude Agent SDK, each with its own filesystem sandbox scoped to the repo being scanned.

Output layout

output/<repo-slug>/
├── analysis.json           # file list picked by the analyst
├── findings/
│   └── src__foo__bar.ts.json   # per-file findings (verified + unverified)
├── reports/
│   └── src__foo__bar.ts--1.md  # one Markdown report per verified finding
├── debug/
│   └── src__foo__bar.ts.log    # full agent transcript per file
└── processed-files.txt     # cache so reruns skip finished files

<repo-slug> is <basename>-<sha1(abspath)[:8]> so the same repo never collides with another.

License

Apache 2.0 — see LICENSE.