npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

xploitscan

v1.2.0

Published

AI security scanner for vibe-coded apps. Find vulnerabilities before attackers do.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

bgage725bgage725

Keywords

securityscannervibe-codingaivulnerabilityowaspappsecsastcursorlovableboltreplitclaudeai-codedevsecops

Readme

XploitScan

npm version License: MIT

Security scanner for AI-generated code. Find vulnerabilities before attackers do.

Built for developers shipping code via Cursor, Lovable, Bolt, Replit, and Claude Code. 210 security rules. Plain-English results. Copy-paste fixes.

Quick Start

npx xploitscan scan .

No install, no config, no account required. Your code stays 100% local.

What It Catches

210 rules across 15+ categories:

| Category | Examples | Rules | |----------|---------|-------| | Secrets | Hardcoded API keys, .env files, OAuth secrets, Terraform state | 15+ | | Injection | SQL, XSS, SSRF, command injection, path traversal, XXE, SSTI | 20+ | | Authentication | Missing auth, weak JWT, insecure password reset, OAuth flaws | 15+ | | Cryptography | Weak RSA, deprecated TLS, ECB mode, hardcoded IVs | 10+ | | Infrastructure | Dockerfile, Kubernetes, Terraform, AWS IAM misconfigs | 10+ | | Supply Chain | Unpinned GitHub Actions, vulnerable dependencies | 5+ | | Information Leakage | PII in logs, unencrypted DB fields, exposed admin routes | 10+ | | Code Quality | Console.log in production, empty catch blocks, TODO/FIXME | 10+ |

Every finding includes OWASP Top 10 and CWE compliance mappings.

Detection Quality

Detection is scored publicly on a labeled fixture corpus that's refreshed on every commit. Current numbers live at xploitscan.com/benchmark:

  • 100% precision (zero false positives) across 151 labeled fixtures covering 25+ vulnerability classes
  • 80%+ recall on rules with active test coverage
  • Side-by-side comparison with Semgrep (community rulesets) and Bearer on the same corpus

The scanner uses a two-layer architecture: a fast regex pre-filter for pattern-based rules (secrets, missing headers, container misconfigs), and a Babel-parsed AST layer with local taint tracking for data-flow rules (SSRF, prototype pollution, mass assignment, SSTI, command injection from user input). Recognized taint sources: Express / Fastify / Koa / Next.js App Router / Web Fetch API / AWS Lambda.

Methodology, fixture format, and reproducibility instructions: xploitscan.com/docs/detection-methodology.

Installation

# Run directly (recommended — always latest version)
npx xploitscan scan .

# Or install globally
npm install -g xploitscan
xploitscan scan .

Usage

# Scan current directory
npx xploitscan scan .

# Scan a specific folder
npx xploitscan scan ./src

# JSON output (for scripting/CI)
npx xploitscan scan . --format json

# SARIF output (for GitHub Security tab)
npx xploitscan scan . --format sarif

# Scan only changed files vs main branch
npx xploitscan scan . --diff

# Watch mode — re-scan on file changes
npx xploitscan scan . --watch

Output Formats

| Format | Use Case | |--------|----------| | text | Human-readable terminal output (default) | | json | Machine-readable JSON with all findings | | sarif | GitHub Security tab integration |

GitHub Action

Add automated scanning to every PR:

name: Security Scan
on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run XploitScan
        uses: bgage72590/xploitscan@main
        with:
          path: '.'
          format: 'sarif'
          fail-on: 'critical'

      - name: Upload SARIF
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: xploitscan-results.sarif

Findings appear in the GitHub Security tab as code scanning alerts.

Configuration

Create a .xploitscanrc file in your project root:

{
  "rules": {
    "include": ["VC001-VC131"],
    "exclude": ["VC042"]
  },
  "format": "json",
  "fail-on": "high",
  "ignore": ["node_modules", "dist", ".git"]
}

.xploitscanignore

A .gitignore-style file in your project root. Plain lines exclude whole files from scanning (negate with !). A line may also carry a trailing rule-ID list to suppress only those rules on matching paths while still scanning the files for everything else:

# Don't scan generated code at all
generated/**

# Allow log-injection (VC044) in internal cron scripts only
scripts/cron/**        VC044

# Silence two rules across all test files
**/*.test.ts           VC031, VC043

# Suppress every rule on a legacy tree (the `scanner` wildcard)
legacy/**              scanner

For a single reviewed-and-accepted finding, prefer an inline // VC<id>-OK: <reason> comment instead of a file- or path-wide rule.

Web Dashboard

Scan via the web at xploitscan.com:

  • Drag-and-drop file/ZIP upload
  • GitHub URL scanning
  • Scan history and score trends
  • PDF security reports
  • SOC2/ISO27001 compliance mapping
  • Slack and Discord webhook notifications

Free: 5 scans/day, 30 core rules. Indie ($9/mo): 500 scans/month, all 210 rules, scan history. Pro ($19/mo): unlimited scans, all 210 rules, PDF reports, compliance mapping, webhooks, AI false-positive filter. Team ($99/mo): everything in Pro plus 5 seats, shared scan history, RBAC, and portfolio reports. Annual plans save 40%.

Supported Languages

JavaScript, TypeScript, Python, Ruby, Go, Rust, Java, PHP, Swift, Kotlin, C#, Dart, C/C++, and configuration files (Dockerfile, Terraform, Kubernetes, GitHub Actions, .env).

Links

License

MIT -- Cipherline LLC