npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

redsketch

v0.2.4

Published

Threat-model your Figma designs before writing a single line of code

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

alavesaalavesa

Keywords

figmathreat-modelsecuritystridedesignux-securitycliclaudeairedsketch

Readme

RedSketch

npm version license

  ██████╗ ███████╗██████╗ ███████╗██╗  ██╗███████╗████████╗ ██████╗██╗  ██╗
  ██╔══██╗██╔════╝██╔══██╗██╔════╝██║ ██╔╝██╔════╝╚══██╔══╝██╔════╝██║  ██║
  ██████╔╝█████╗  ██║  ██║███████╗█████╔╝ █████╗     ██║   ██║     ███████║
  ██╔══██╗██╔══╝  ██║  ██║╚════██║██╔═██╗ ██╔══╝     ██║   ██║     ██╔══██║
  ██║  ██║███████╗██████╔╝███████║██║  ██╗███████╗   ██║   ╚██████╗██║  ██║
  ╚═╝  ╚═╝╚══════╝╚═════╝ ╚══════╝╚═╝  ╚═╝╚══════╝   ╚═╝    ╚═════╝╚═╝  ╚═╝

  Threat-model your Figma designs before writing a single line of code

Threat-model your Figma designs before writing a single line of code.

RedSketch reads your Figma design files and generates STRIDE-based security threat models from the UI layer. It identifies authentication flows, data inputs, payment screens, consent patterns, and more — then maps them against 36 proven security UX patterns and 19 international regulations.

Install

npm install -g redsketch

Quick Start

# Set your API keys
export ANTHROPIC_API_KEY=sk-ant-...
export FIGMA_ACCESS_TOKEN=figd_...

# Scan a Figma design
redsketch scan "https://figma.com/design/abc123/MyApp?node-id=1-234"

What It Does

  1. Reads your Figma design structure via the Figma REST API
  2. Identifies security-relevant UI elements (login forms, data inputs, file uploads, payment flows, consent screens, admin panels)
  3. Generates STRIDE threat analysis for each identified asset (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege)
  4. Matches findings against 36 Security UX patterns from uxsec.dev
  5. Flags compliance gaps across 19 regulations (GDPR, NIS2, DORA, PCI DSS, EU AI Act, and more)

Usage

# Basic scan
redsketch scan <figma-url>

# Focus on specific regulations
redsketch scan <figma-url> --regulations gdpr,nis2,pci

# JSON output for CI/CD pipelines
redsketch scan <figma-url> --json

# Write report to file
redsketch scan <figma-url> --output threat-model.json

# Use a specific Claude model
redsketch scan <figma-url> --model claude-opus-4-6

# Verbose output (shows AI thinking)
redsketch scan <figma-url> --verbose

Configuration

RedSketch needs two API keys:

| Key | Source | Purpose | |-----|--------|---------| | ANTHROPIC_API_KEY | console.anthropic.com | Claude API for AI analysis | | FIGMA_ACCESS_TOKEN | figma.com/developers | Figma REST API for reading designs |

Set them as environment variables (recommended) or in a .redsketch.json config file:

{
  "apiKey": "sk-ant-...",
  "figmaToken": "figd_...",
  "model": "claude-sonnet-4-6"
}

Available Regulations

| ID | Regulation | |----|-----------| | gdpr | General Data Protection Regulation (EU) | | ccpa | California Consumer Privacy Act (US) | | soc2 | Service Organization Control Type 2 | | iso27001 | Information Security Management System | | pci | PCI DSS 4.0 | | ftc | FTC Act — Deceptive Practices | | euaiact | EU AI Act — Article 50 Transparency | | usai | Colorado AI Act + California AI Transparency Act | | nis2 | Network and Information Security Directive 2 (EU) | | dora | Digital Operational Resilience Act (EU — Financial Sector) | | cra | Cyber Resilience Act (EU — Products with Digital Elements) | | eaa | European Accessibility Act (EU) | | iec62443 | Industrial Automation & Control System Security | | iec61511 | Safety Instrumented Systems for Process Industries | | isa182 | Alarm Management (ISA-18.2 / EEMUA 191) | | isa101 | Human Machine Interfaces for Process Industries | | wcag | Web Content Accessibility Guidelines 2.2 | | fido2 | WebAuthn / FIDO2 | | iso42001 | AI Management System — Responsible AI Governance |

How It Works

RedSketch uses a specialized AI agent powered by Claude that:

  • Parses your Figma design's node hierarchy, component names, and text content
  • Applies the STRIDE threat modeling framework at the UI layer
  • Cross-references findings against 34 interactive security UX patterns from uxsec.dev
  • Maps gaps to applicable regulations and compliance requirements

The analysis happens before any code exists — catching security issues at the design stage when they're cheapest to fix.

Pattern Library

RedSketch's knowledge base comes from the Security UX Pattern Library — 36 interactive patterns across 8 categories:

  • Authentication (8 patterns) — Login, MFA, passwords, sessions, passkeys, OAuth
  • Threat Response (3 patterns) — Breach notification, phishing, suspicious activity
  • Dark Patterns (6 patterns) — Confirmshaming, cookie consent, hidden unsubscribe
  • Data Protection (4 patterns) — Encryption, file upload, deletion, audit logs
  • OWASP Top 10 (3 patterns) — Access control, misconfiguration, logging
  • AI Transparency (5 patterns) — Disclosure, content labeling, decision explanation, input safety, human override
  • Industrial (4 patterns) — Operator auth, safety-critical, alarms, HMI navigation
  • Governance (3 patterns) — Design review, change management, compliance audit

License

MIT