npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

taskbounty-check

v0.1.6

Published

Pre-launch safety check for AI-built apps (Lovable, Bolt, Replit, Cursor, v0). Scans your GitHub Actions + CI hygiene locally. Source code and workflow contents never leave your machine.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

taskbountytaskbounty

Keywords

ai-app-securityvibe-codinglovableboltreplitcursorv0github-actionssecuritylocal-scannermcpmcp-serverclaude-codecodexdevsecopsgithub-securitygithub-actions-securityci-securitysoftware-supply-chain

Readme

taskbounty-check

A local check for GitHub Actions and CI maintenance hygiene (third-party action pinning, workflow token permissions, and update automation), built for apps shipped with Lovable, Bolt, Replit, Cursor, or v0.

Local by default. No uploads. No telemetry. It reads only your workflow files, on your machine. The default code path makes no outbound network requests, writes its report locally, and sends nothing anywhere. There is no analytics or phone-home of any kind. Only the opt-in --gh-org mode uses the network (through your own gh session).

Works with Cursor, Claude Code, and Codex (local MCP server, below).

Three ways to use it

1. GitHub Action — add a maintenance check to CI that writes a summary to the run (no PR comments, no source upload):

permissions:
  contents: read
steps:
  - uses: actions/checkout@v4
  - run: npx [email protected] . --github-summary --no-network

Want a human to interpret or fix what the Action surfaces? Request a free launch-safety review. TaskBounty gets no access to your repo, source, or workflows unless you submit that form.

2. Agent / MCP — a local stdio server for Cursor, Claude Code, and Codex:

npx -y [email protected] mcp

3. One-off CLI — scan the current repo locally and write a report:

npx -y [email protected] .

Pin a version (@0.1.6) in committed config and CI for reproducibility. @latest is convenient for a quick one-off, but a pinned version is the reproducible choice.

The GitHub job summary

The Action writes a counts-only maintenance summary to the workflow run (categories and next steps, no filenames, line numbers, or repo source). Below is that exact summary, rendered from this repo's own CI output:

TaskBounty check: GitHub Actions maintenance summary

See it produced live by the self-check job in this repository's Actions runs.

Learn more

Supported checks (and honest limitations)

Checks (GitHub Actions + CI maintenance hygiene):

  • Third-party actions pinned to a movable tag/branch instead of a commit SHA
  • Broad (write-all) workflow token permissions
  • Missing explicit permissions: block
  • Update automation (Dependabot/Renovate) presence
  • Context-dependent workflow patterns flagged for private review (e.g. pull_request_target, script injection)

Does NOT check (these need a manual review): exposed secrets, auth/authorization, payments, webhooks, runtime behavior. It is a maintenance/hygiene check, not a full security audit or a penetration test.

What it does

  • Reads only your GitHub Actions workflow files and update-automation config, scans them in-process with a deterministic ruleset (the same rules as the public checker), and writes a local HTML + JSON report. It does not execute workflows, install dependencies, or run any repository code.

Modes

| Mode | Command | Network | |------|---------|---------| | Single repo | npx taskbounty-check . | none | | Directory of repos | npx taskbounty-check ./all-repos | none | | Explicit paths | npx taskbounty-check --manifest repos.json | none | | GitHub org (your gh session) | npx taskbounty-check --gh-org <org> | yes, opt-in |

--gh-org uses your existing gh CLI session to fetch each repo's workflow files to this machine (read-only). Your GitHub token is never read by this tool and never sent to TaskBounty.

What is read, written, transmitted

Run --explain-data to print this at any time.

  • Reads (allowlist — nothing else is opened): <repo>/.github/workflows/*.yml|*.yaml and update-automation config (dependabot.yml/renovate.json*). Never source files, .env, secrets, SSH keys, credential stores, or anything outside the selected repository roots. Symlinks that escape a root are skipped, never followed.
  • Writes (local only): <out>.json (full detail) and <out>.html.
  • Transmits: nothing by default. --share uploads nothing — it writes a sanitized, counts-only file (scan id, label, candidate counts by category, private-review count, scanner version, timestamps; repo names only with --include-repo-names) for you to submit manually. Network stays off under --share. Only --gh-org intentionally uses the network.

Flags

--share · --gh-org <org> · --manifest <file> · --org-label <label> · --include-repo-names · --dry-run · --explain-data · --delete-local-report · --no-network (default everywhere except --gh-org) · --out <basename> · --version · --help

Want help interpreting or fixing these results?

Request a free 20-minute launch-safety review: https://www.task-bounty.com/ai-app-security-check/review?utm_source=npm&utm_medium=npm_readme&utm_campaign=workflow_security

TaskBounty receives nothing unless you submit that form. The scan runs locally and the full report stays on your machine; the review form gives us no access to your repositories, source, workflows, or secrets.

GitHub Code Scanning (SARIF)

Emit SARIF 2.1.0 and surface findings in your repo's Security → Code scanning tab:

npx taskbounty-check@latest . --format sarif --output taskbounty.sarif

The SARIF carries deterministic rule ids (taskbounty/<rule>), severity levels, and file/line references — no source contents, secrets, or environment values, and no network access. Confirmed findings are emitted as kind: fail; lower-confidence items as kind: review.

Help interpreting SARIF results: https://www.task-bounty.com/ai-app-security-check/review?utm_source=github&utm_medium=sarif_docs&utm_campaign=workflow_security

Upload it with the official action (full example in examples/code-scanning.yml):

permissions:
  contents: read
  security-events: write
steps:
  - uses: actions/checkout@v4
  - run: npx [email protected] . --format sarif --output taskbounty.sarif
  - uses: github/codeql-action/upload-sarif@v3
    with:
      sarif_file: taskbounty.sarif

Local agent (MCP)

Run a local stdio MCP server so Codex, Claude Code, or Cursor can scan and reason about findings in your editor. It runs locally, makes zero outbound network requests, uploads no source, and never modifies filesgenerate_fix_plan returns a plan as text for you to apply yourself.

npx taskbounty-check@latest mcp

Tools: scan_repo (local scan summary), explain_finding (plain-language explanation), generate_fix_plan (text fix plan).

Want a human to review the plan? https://www.task-bounty.com/ai-app-security-check/review?utm_source=mcp&utm_medium=mcp_docs&utm_campaign=workflow_security

Cursor.cursor/mcp.json:

{ "mcpServers": { "taskbounty-check": { "command": "npx", "args": ["-y", "taskbounty-check@latest", "mcp"] } } }

Claude Code:

claude mcp add taskbounty-check -- npx -y taskbounty-check@latest mcp

Codex — in ~/.codex/config.toml:

[mcp_servers.taskbounty-check]
command = "npx"
args = ["-y", "taskbounty-check@latest", "mcp"]

Security

Zero runtime dependencies. Published to npm with provenance (verify on the package's npm page). The default run makes no outbound requests and uploads nothing; see the methodology for the full data-handling and scope boundaries.