JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 13
  • Score
    100M100P100Q55781F
  • License MIT

AI-powered security review plugin for pentesting web applications

Package Exports

    This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@oalacea/guardian) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

    Readme

    Guardian

    License: MIT GitHub release CI

    AI-powered security review plugin for pentesting web applications. Automated vulnerability scanning and remediation with zero configuration.

    Quick Start

    Installation

    # From your project directory
npx @oalacea/guardian

    First run installs the security toolkit (~550-650 MB Docker image, takes 2-3 minutes).

    Production Mode

    For external security testing:

    npx @oalacea/guardian https://example.com

    Usage

    After installation, open your AI coding agent and paste:

    Read .guardian/REVIEW.md and start the security review

    The AI will:

    1. Auto-detect your framework, target URL, and environment
    2. Ask for confirmation
    3. Scan for vulnerabilities
    4. Fix issues directly in your code (dev mode)
    5. Verify each fix
    6. Provide a summary

    This task can take several minutes depending on the complexity of your application and the number of vulnerabilities found.

    What You Need

    • DockerInstall
    • AI coding agent — Claude Code, Cursor, Windsurf, Aider, Codex...

    Included Tools

    The Docker toolkit includes:

    Category Tools
    Recon nmap, subfinder, whatweb, httpx
    Vuln Scanning nuclei, nikto
    Discovery ffuf
    SQL Injection sqlmap
    XSS dalfox
    JWT jwt_tool
    Brute Force hydra
    SSL/TLS testssl.sh
    Wordlists SecLists (Web-Content, DNS, Fuzzing, SQLi, Passwords)

    What It Tests

    • Injection: SQLi, NoSQL, SSTI, XXE, LDAP, Command injection
    • Cross-Site: XSS (reflected, stored, DOM), CSRF, CORS misconfig
    • Server-Side: SSRF, deserialization, path traversal, file upload
    • Auth: Authentication bypass, privilege escalation, IDOR, JWT manipulation
    • Logic: Mass assignment, business logic flaws, race conditions
    • Infrastructure: Subdomain takeover, missing headers, info disclosure
    • DoS: ReDoS, GraphQL deep nesting
    • GraphQL: Introspection, batching, nested query DoS

    Safety

    • Always test against dev/staging first
    • Never test production without written authorization
    • Backup your code (use git)
    • Production mode uses non-destructive tests only

    Troubleshooting

    Rebuild toolkit image

    docker rm -f guardian-tools
docker rmi guardian-tools
npx @oalacea/guardian

    Test tools manually

    docker exec guardian-tools nmap --version
docker exec guardian-tools sqlmap --version

    License

    MIT — Use at your own risk. Only test systems you own or have explicit permission to test.

    Credits

    Inspired by nicefox-secu and AIDA.