sertivibed
v0.3.0
Published
Evidence-first security scanner for Supabase/React apps
Maintainers
Readme
Sertivibed
Evidence-first security scanner for Supabase/React apps.
Sertivibed scans your codebase for common security issues and generates detailed reports with code evidence. No AI guessing — every finding is backed by actual code snippets.
Quick Start
# Scan current directory
npx sertivibed scan .
# Scan a specific project
npx sertivibed scan ./my-app
# Show detailed progress
npx sertivibed scan . --verbose
# Fail CI if HIGH+ issues found
npx sertivibed scan . --fail-on high
# Use different scan profiles
npx sertivibed scan . --profile security # Default: 16 security rules
npx sertivibed scan . --profile growth # 3 growth/performance rules
npx sertivibed scan . --profile privacy # 4 privacy/GDPR rules
npx sertivibed scan . --profile prelaunch # 4 production readiness rules
# Enrich findings with AI explanations
npx sertivibed scan . --enrich
# Machine-readable JSON output only
npx sertivibed scan . --json-onlyInstallation
# Use with npx (no install needed)
npx sertivibed scan .
# Or install globally
npm install -g sertivibed
sertivibed scan .CLI Options
| Flag | Description |
|------|-------------|
| --verbose, -v | Show detailed progress |
| --profile <name> | Scan profile: security (default), growth, privacy, prelaunch |
| --enrich | Enrich findings with AI explanations (requires ANTHROPIC_API_KEY) |
| --out <dir> | Custom output directory (default: scanned project) |
| --fail-on <severity> | Exit code 1 if issues >= threshold (critical, high, medium, low) |
| --json-only | Output pure JSON to stdout, no UI/banner |
| --quiet | Minimal terminal output |
| --output <file>, -o | Markdown report filename (default: sertivibed-report.md) |
| --json <file>, -j | JSON output filename (default: sertivibed-results.json) |
Scan Profiles
Sertivibed includes 27 rules across 4 profiles:
| Profile | Rules | Description |
|---------|-------|-------------|
| security | 16 | Core security scanning (RLS, auth, XSS, secrets) |
| growth | 3 | Performance and observability checks |
| privacy | 4 | GDPR compliance and data handling |
| prelaunch | 4 | Production readiness checklist |
Security Rules (16)
RLS (Row Level Security)
| Rule | Severity | Description |
|------|----------|-------------|
| RLS001 | CRITICAL | RLS not enabled on table |
| RLS002 | MEDIUM | Missing DELETE policy when .delete() is used |
| RLS003 | HIGH | Policy missing ownership check (auth.uid() = user_id) |
Authentication & Authorization
| Rule | Severity | Description | |------|----------|-------------| | AUTH001 | CRITICAL | Service role key in client code | | AUTH002 | MEDIUM | Session cookie without expiry | | AUTH003 | HIGH | Password in URL query params |
API Security
| Rule | Severity | Description | |------|----------|-------------| | API001 | MEDIUM | Missing rate limiting | | API002 | MEDIUM | Stack trace in error response |
Privacy (in Security profile)
| Rule | Severity | Description | |------|----------|-------------| | PRIV001 | MEDIUM | Auth token in localStorage | | PRIV002 | MEDIUM | PII in console.log |
Secrets
| Rule | Severity | Description | |------|----------|-------------| | SEC001 | HIGH | Hardcoded API key |
XSS (Cross-Site Scripting)
| Rule | Severity | Description |
|------|----------|-------------|
| XSS001 | HIGH | dangerouslySetInnerHTML usage |
| XSS002 | HIGH | Direct innerHTML assignment |
Storage
| Rule | Severity | Description | |------|----------|-------------| | STOR001 | MEDIUM | File upload without validation | | STOR002 | MEDIUM | Public storage URL without signing |
Configuration
| Rule | Severity | Description | |------|----------|-------------| | CONF001 | LOW | Missing Content Security Policy |
Growth Rules (3)
| Rule | Severity | Description | |------|----------|-------------| | GRO001 | LOW | Missing error tracking (Sentry/Bugsnag) | | GRO002 | MEDIUM | Unbounded SELECT (missing LIMIT) | | GRO003 | LOW | Large bundle size (>500kb) |
Privacy Rules (4)
| Rule | Severity | Description | |------|----------|-------------| | PRIV003 | HIGH | PII sent to analytics | | PRIV004 | MEDIUM | Tracking before consent | | PRIV005 | LOW | Missing data retention policy | | PRIV006 | HIGH | Sensitive data in URL |
Prelaunch Rules (4)
| Rule | Severity | Description | |------|----------|-------------| | PRE001 | LOW | Console.log in production code | | PRE002 | MEDIUM | Sourcemaps exposed in prod | | PRE003 | MEDIUM | Hardcoded localhost | | PRE004 | HIGH | .env not in .gitignore |
AI Enrichment
Add AI-powered explanations to your findings:
export ANTHROPIC_API_KEY=sk-ant-...
npx sertivibed scan . --enrichEach finding gets enriched with:
- Plain language explanation — What this vulnerability means
- Exploit scenario — How an attacker could use this
- Priority reasoning — Why this severity level
- Code example — How to fix it (when helpful)
Output
Sertivibed generates two files:
sertivibed-report.md— Human-readable report with code evidencesertivibed-results.json— Machine-readable for CI/CD integration
Use --json-only to output pure JSON to stdout (no banner/UI).
CI/CD Integration
GitHub Actions
name: Security Scan
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Sertivibed
run: npx sertivibed scan . --fail-on high --quiet
- name: Upload Report
if: always()
uses: actions/upload-artifact@v4
with:
name: security-report
path: sertivibed-report.mdGitLab CI
security-scan:
image: node:20
script:
- npx sertivibed scan . --fail-on high
artifacts:
paths:
- sertivibed-report.md
when: alwaysPhilosophy
Sertivibed follows an evidence-first approach:
- Every finding has code evidence — No vague warnings. You see the exact file and line.
- Verification steps included — Each finding tells you how to manually verify it's real.
- Smart detection — Skips RLS checks for Prisma projects (they use different auth patterns).
- No false confidence — We only check what we can verify. Unknown stacks get honest "N/A".
Supported Stacks
| Stack | Detection | RLS Rules | |-------|-----------|-----------| | Supabase | Auto-detected | Full support | | Prisma | Auto-detected | Skipped (check API routes instead) | | Next.js | Auto-detected | Full support | | Vite/React | Auto-detected | Full support |
Requirements
- Node.js >= 18
- ripgrep (rg) recommended for performance, falls back to grep
Install ripgrep
# macOS
brew install ripgrep
# Ubuntu/Debian
sudo apt install ripgrep
# Windows
choco install ripgrep
# or
winget install BurntSushi.ripgrep.MSVCContributing
Issues and PRs welcome at github.com/sertivibed/sertivibed-cli.
License
MIT - Hakon Haugen
