npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

sicario-red-team

v3.1.1

Published

Autonomous Agentic Red-Teaming Swarm Protocol

Downloads

153

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

sicariodevsicariodev

Keywords

red-teamsecurityautomationswarmautonomousvulnerability

Readme

🎯 Sicario: Developer-First Security Scanner

The developer-first security scanner for modern web applications.

AI coding assistants (Cursor, v0, GitHub Copilot) allow you to ship full-stack applications in hours. But while they write beautiful code, they frequently introduce critical vulnerabilities — like hardcoded secrets, business logic bypasses, LLM injection vectors, and supply chain risks.

Legacy scanners (Snyk, Burp) are built for enterprise compliance, not rapid development. They output dense PDFs that nobody reads.

Sicario is different. It is a locally-running static analysis scanner that understands your code's semantic intent — parsing your source into an Abstract Syntax Tree to detect complex flaws that regex-based tools miss. Beautiful output. Interactive workflow. Fix with one command.

🚀 Quickstart

No API keys to copy. No configuration files to edit.

# Scan current directory (no install needed)
npx sicario-red-team@latest

# Or install globally
npm install -g sicario-red-team

# Link to cloud dashboard
sicario login

# Continuous scanning as you code
sicario watch

# AI fix + GitHub PR
sicario fix --pr

✨ Features

  • AST-Based Scanning — Parses TypeScript, JavaScript, Python, Go, and Rust into ASTs for deep semantic analysis
  • Secrets Detection — 30+ patterns including AWS keys, GitHub tokens, Stripe keys, and high-entropy strings
  • LLM Vulnerability Detection — Prompt injection, insecure output handling, unsafe model configurations
  • Business Logic Analysis — Missing auth checks, IDOR, mass assignment, rate limiting gaps
  • Supply Chain Auditing — OSV database queries, typosquatting detection, SBOM generation (--sbom)
  • AI Auto-Fix (Scribe) — Generates and applies code patches, or opens GitHub PRs with sicario fix --pr
  • Cloud Dashboard — Sync findings to Mission Control for team visibility and compliance reporting
  • Beautiful Output — Rich terminal UI with interactive post-scan menu, watch mode, and CI/CD integration

🔧 Core Commands

| Command | Description | |---|---| | sicario scan [path] | Scan a directory or file | | sicario fix | Apply AI-generated patches locally | | sicario fix --pr | Open a GitHub PR with the fix | | sicario triage | Launch the interactive TUI Mission Control | | sicario login | Authenticate with the cloud dashboard | | sicario watch | Continuous scanning as you code | | sicario init | Initialize a .sicarioignore config file |

Useful Flags

| Flag | Description | |---|---| | --sbom | Generate a CycloneDX JSON Software Bill of Materials | | --baseline <file> | Suppress findings present in a saved baseline file | | --fail-on <severity> | Exit with code 1 at/above this severity (CI/CD gating) | | --dry-run | Preview what would be scanned/fixed without writing files | | --incremental | Scan only files changed since last Git commit | | --format <fmt> | Output format: text, json, sarif, markdown |

☁️ Cloud Dashboard

After running sicario login, scan results automatically sync to your Mission Control dashboard at usesicario.xyz/dashboard.

The dashboard provides:

  • Scan history and finding trends over time
  • Severity distribution and OWASP category breakdown
  • Compliance report export (OWASP, PCI-DSS, HIPAA)
  • Remote AI remediation for GitHub-connected repositories
# Authenticate once — all future scans sync automatically
sicario login

🛡️ Detection Engines

Sicario runs 4 detection engines on every scan:

  1. Secrets Engine — Detects hardcoded credentials, API keys, and high-entropy strings
  2. LLM Guard — Identifies prompt injection, unsafe AI output handling, and insecure model configs
  3. Business Logic Engine — Finds auth bypasses, IDOR, mass assignment, and missing rate limits
  4. Supply Chain Engine — Audits dependencies against the OSV database, detects typosquatting

Supported Languages: TypeScript · JavaScript · Python · Go · Rust

💎 Pricing

| Tier | Price | Includes | |---|---|---| | Hacker | Free | Full AST scanning, SARIF/JSON/Markdown reports, watch mode, CI/CD integration, cloud dashboard | | Pro | Paid | Everything in Hacker + AI auto-fix, GitHub PR creation, SBOM generation, remote fix from dashboard | | Enterprise | Coming Soon | SSO, custom SLAs, dedicated support |

Upgrade at usesicario.xyz.

📄 License

See LICENSE for details.