Package Exports
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@oalacea/guardian) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
Guardian
AI-powered security review plugin for pentesting web applications. Automated vulnerability scanning and remediation with zero configuration.
Features:
- Multi-framework support: NestJS, Rust, Vite/VoidZero, Express, Fastify, Django, Flask, FastAPI, Go, Spring Boot
- DDoS resistance testing: HTTP flood, Slowloris, connection exhaustion
- Stress testing: Memory leaks, response time benchmarks, CPU monitoring
- OWASP Top 10 2021: 100% coverage
Quick Start
Installation
# From your project directory
npx @oalacea/guardianFirst run installs the security toolkit (~800 MB Docker image, takes 2-3 minutes).
Production Mode
For external security testing:
npx @oalacea/guardian https://example.comUsage
After installation, open your AI coding agent and paste:
Read .guardian/REVIEW.md and start the security reviewThe AI will:
- Auto-detect your framework, target URL, and environment
- Ask for confirmation
- Scan for vulnerabilities
- Fix issues directly in your code (dev mode)
- Verify each fix
- Provide a summary
This task can take several minutes depending on the complexity of your application and the number of vulnerabilities found.
What You Need
- Docker — Install
- AI coding agent — Claude Code, Cursor, Windsurf, Aider, Codex...
Included Tools
The Docker toolkit includes:
| Category | Tools |
|---|---|
| Recon | nmap, subfinder, whatweb, httpx |
| Vuln Scanning | nuclei, nikto |
| Discovery | ffuf |
| SQL Injection | sqlmap |
| XSS | dalfox |
| JWT | jwt_tool |
| Brute Force | hydra |
| SSL/TLS | testssl.sh |
| DDoS/Stress | vegeta, hey, ab (Apache Bench), slowhttptest |
| GraphQL | graphqlmap |
| Rust Security | cargo-audit, cargo-deny |
| Wordlists | SecLists (Web-Content, DNS, Fuzzing, SQLi, Passwords, DDoS) |
What It Tests
Framework-Specific
- NestJS: Guard bypass, pipe injection, GraphQL introspection, WebSocket auth, throttler bypass
- Rust: Unsafe blocks, integer overflow, Serde RCE, actix/axum vulnerabilities, cargo-audit
- Vite/VoidZero: HMR injection, source map leaks, dependency pre-bundling, env var leakage
- Node.js: Prototype pollution, ReDoS, dependency confusion
General Vulnerabilities
- Injection: SQLi, NoSQL, SSTI, XXE, LDAP, Command injection
- Cross-Site: XSS (reflected, stored, DOM), CSRF, CORS misconfig
- Server-Side: SSRF, deserialization, path traversal, file upload
- Auth: Authentication bypass, privilege escalation, IDOR, JWT manipulation
- Logic: Mass assignment, business logic flaws, race conditions
- Infrastructure: Subdomain takeover, missing headers, info disclosure
- DoS: ReDoS, GraphQL deep nesting, HTTP flood, Slowloris, connection exhaustion
- DDoS: Rate limit bypass, connection pool exhaustion, slow attacks
- Stress: Memory leaks, response time benchmarks, CPU usage, error rates
OWASP Top 10 2021
- 100% coverage including insecure design, vulnerable components, and logging failures
Safety
- Always test against dev/staging first
- Never test production without written authorization
- Backup your code (use git)
- Production mode uses non-destructive tests only
Troubleshooting
Rebuild toolkit image
docker rm -f guardian-tools
docker rmi guardian-tools
npx @oalacea/guardianTest tools manually
docker exec guardian-tools nmap --version
docker exec guardian-tools sqlmap --versionLicense
MIT — Use at your own risk. Only test systems you own or have explicit permission to test.
Credits
Inspired by nicefox-secu and AIDA.