sniffsec
v0.2.0
Published
The invisible watchdog for your builds. Sniffs out secret leaks (Stripe/AWS), PII exposure, and build-breaking bugs in JS/TS apps. Zero-config, local-only.
Maintainers
Readme
SniffSec 👃🛡️
"You code. We sniff and secure."
SniffSec is the "Invisible Watchdog" for AI-driven development. Built by a Product Security Engineer, it’s designed for Devs who ship at the speed of light but don't want to crash on the launchpad.
AI agents (Cursor, Claude, GPT) are elite at coding, but they don't care about your Next.js build limits or STRIPE KEYS. We do.
🛠️ Instant Audit
No config. Just secure development.
npx sniffsecFound issues? Auto-replace hardcoded secrets with env var references:
npx sniffsec --fixCreates a .env.example with the variable names. You fill in the values.
🤖 Agent-Ready Repositories (Gemini, Cursor, Claude)
AI Agents (like Cursor, Claude, and Gemini) are great at coding but often miss security leaks. You can force your agents to check for important key leaks by adding SniffSec to your repo.
For Gemini CLI (GEMINI.md)
Update your GEMINI.md file:
# Agent Instructions: Security Audits
Whenever asked to analyze for security risks or secrets, you **MUST** run:
`npx sniffsec`
If issues are found, run `npx sniffsec --fix` to auto-replace hardcoded secrets with env var references.For Cursor (.cursorrules or .cursor/rules/sniffsec.mdc)
Update the .cursorrules file or a rule in .cursor/rules/ to ensure Cursor always sniffs before you commit:
# SniffSec Security Guardrail
Whenever you generate code with API keys or PII, you MUST suggest running:
`npx sniffsec`
If issues are found, run `npx sniffsec --fix` to auto-replace hardcoded secrets with env var references.For Claude (claude.md)
If you use Claude-based agents, update the claude.md file:
# SniffSec Workflow
Use `npx sniffsec` as the primary verification tool. Before completing any task, run the scan. If `issuesFound > 0`, run `npx sniffsec --fix` to auto-replace hardcoded secrets, then re-run the scan to confirm it passes.🛡️ What we sniff out (100+ patterns):
- Cloud Credentials: AWS, Azure, Google Cloud, Heroku, DigitalOcean.
- Payment & SaaS: Stripe, PayPal, Twilio, SendGrid, Mailgun, Slack.
- Databases: MongoDB, PostgreSQL, MySQL, Redis, Elasticsearch, Supabase.
- AI & Dev Tools: OpenAI, Anthropic, GitHub (PAT/OAuth), GitLab, Bitbucket.
- Infrastructure: Kubernetes, Docker Hub, Hashicorp Vault, Terraform, CircleCI.
- Environment Risks: Private Keys (RSA/PEM/PGP), Internal IPs, Localhost leaks, Dev/Stage URLs.
- Next.js Risks: API Route misconfigurations (missing "force-dynamic").
📁 Files scanned:
.js .ts .jsx .tsx .env .yaml .yml .json .sh .py .go .rb
npx sniffsec