JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 194
  • Score
    100M100P100Q98825F
  • License MIT

CodeSlick CLI tool for pre-commit security scanning

Package Exports

    This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (codeslick-cli) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

    Readme

    @codeslick/cli

    CodeSlick CLI - Pre-commit security scanner for JavaScript, TypeScript, Python, and Java.

    Catch security vulnerabilities before they enter your codebase with automated pre-commit scanning.

    Features

    • Local Security Scanning - No API calls required, fully offline
    • Pre-commit Hook Integration - Automatically scans staged files before each commit
    • Fast Analysis - <3s for 10 files using CodeSlick's analyzer engine
    • Multi-language Support - JavaScript, TypeScript, Python, Java
    • Configurable Thresholds - Block commits on CRITICAL, HIGH, MEDIUM, or LOW severity
    • Beautiful Terminal Output - Color-coded results with CVSS scores and fix suggestions
    • CI/CD Ready - JSON output mode for automation
    • OWASP Top 10:2025 Compliant - 268 comprehensive security checks

    Installation

    Option 1: Use npx (Recommended - No Installation Required)

    Run CodeSlick directly without installation:

    npx codeslick-cli --help
npx codeslick-cli init
npx codeslick-cli scan

    Benefits:

    • ✅ No permission issues
    • ✅ Always runs latest version
    • ✅ Works on all systems
    • ✅ No global pollution

    Option 2: Global Installation

    npm install -g codeslick-cli

    After installation, you can use either codeslick or the shorter alias cs:

    codeslick --version
# or
cs --version

    Both commands work identically. Use cs for faster typing!

    Note: On macOS/Linux, you may encounter permission errors. See Troubleshooting for solutions.

    Option 3: Local Installation (Per Project)

    npm install --save-dev codeslick-cli
npx codeslick-cli init

    Quick Start

    1. Initialize CodeSlick in Your Repository

    cd your-project/
npx codeslick-cli init
# or if you installed globally:
codeslick init  # or: cs init

    This will:

    • Create .codeslick.json configuration file
    • Install pre-commit hook
    • Configure automatic scanning

    2. Configure Severity Threshold (Optional)

    cs config set severity critical  # Block only CRITICAL issues
cs config set severity high      # Block HIGH+ issues (recommended)
cs config set severity medium    # Block MEDIUM+ issues (default)

    3. Commit as Usual

    git add .
git commit -m "Add new feature"

    CodeSlick will automatically scan staged files. If vulnerabilities are found that meet your severity threshold, the commit will be blocked.

    Commands

    codeslick init

    Initialize CodeSlick in your repository.

    Usage:

    codeslick init [options]

    Options:

    • --force, -f - Force re-initialization (overwrite existing config)
    • --severity, -s <level> - Set default severity threshold (critical|high|medium|low)

    Examples:

    codeslick init                    # Initialize with defaults
codeslick init --force            # Overwrite existing configuration
codeslick init --severity high    # Initialize with HIGH severity threshold

    codeslick scan

    Scan files for security vulnerabilities.

    Usage:

    codeslick scan [files...] [options]

    Options:

    • --staged - Scan only staged files (for pre-commit hooks)
    • --severity, -s <level> - Override severity threshold (critical|high|medium|low)
    • --fix - Auto-apply fixes where possible (experimental)
    • --json - Output results as JSON (for CI/CD)

    Examples:

    codeslick scan                    # Scan all files
codeslick scan --staged           # Scan staged files only
codeslick scan src/**/*.js        # Scan specific files/patterns
codeslick scan --json             # JSON output (for CI/CD)
codeslick scan --severity high    # Temporarily override threshold

    codeslick config

    Manage CodeSlick configuration.

    Usage:

    codeslick config <action> [key] [value]

    Actions:

    • list - Display all configuration values
    • get <key> - Get a specific configuration value
    • set <key> <value> - Set a configuration value

    Configuration Keys:

    • severity - Severity threshold (critical|high|medium|low)
    • autofix - Enable/disable auto-fix (true|false)
    • languages - Comma-separated list of languages
    • exclude - Comma-separated list of exclude patterns

    Examples:

    codeslick config list                        # Show all config
codeslick config get severity                # Get current severity
codeslick config set severity critical       # Set severity to CRITICAL only
codeslick config set autofix true            # Enable auto-fix
codeslick config set languages js,ts,py      # Enable only JS, TS, Python

    Command Aliases

    For faster typing, use cs instead of codeslick:

    Long Command Short Alias Description
    codeslick init cs init Initialize CodeSlick
    codeslick scan cs scan Scan files
    codeslick config cs config Manage config
    codeslick auth cs auth Authenticate
    codeslick --help cs --help Show help
    codeslick --version cs --version Show version

    Examples:

    # All of these are equivalent:
codeslick scan --staged
cs scan --staged

codeslick config set severity high
cs config set severity high

codeslick init --force
cs init --force

    Both commands work identically - choose whichever you prefer!

    Configuration

    The .codeslick.json file controls how CodeSlick scans your code.

    Default Configuration

    {
  "version": "1.0",
  "severity": "critical",
  "autofix": false,
  "exclude": [
    "node_modules/**",
    "dist/**",
    "build/**",
    "coverage/**",
    "**/*.test.{js,ts}",
    "**/*.spec.{js,ts}",
    "**/test/**",
    "**/tests/**"
  ],
  "languages": ["javascript", "typescript", "python", "java"]
}

    Configuration Reference

    Key Type Default Description
    version string "1.0" Configuration version (do not modify)
    severity string "critical" Severity threshold: critical, high, medium, low
    autofix boolean false Enable auto-fix (experimental)
    exclude string[] See above Glob patterns to exclude from scanning
    languages string[] All Languages to scan: javascript, typescript, python, java

    Severity Thresholds

    Threshold Blocks On Use Case
    critical CRITICAL only Minimum protection (fastest)
    high CRITICAL + HIGH Recommended for most projects
    medium CRITICAL + HIGH + MEDIUM Strict security requirements
    low All issues Maximum security (slowest)

    Security Checks

    CodeSlick CLI uses the same analysis engine as the GitHub App and WebTool.

    Coverage by Language

    Language Security Checks Key Detections
    JavaScript 28 checks SQL injection, XSS, eval(), dangerous APIs
    TypeScript 56 checks Type errors, property validation, AI code
    Python 47 checks Django/Flask security, pickle, exec(), secrets
    Java 32 checks Log4j, Spring Security, SQL injection, deserialization

    Total: 268 comprehensive security checks

    OWASP Top 10:2025 Compliance

    CodeSlick CLI is 95% compliant with OWASP Top 10:2025:

    • A01:2025 - Broken Access Control
    • A02:2025 - Cryptographic Failures
    • A03:2025 - Injection
    • A04:2025 - Insecure Design
    • A05:2025 - Security Misconfiguration
    • A06:2025 - Vulnerable and Outdated Components
    • A07:2025 - Identification and Authentication Failures
    • A08:2025 - Software and Data Integrity Failures
    • A09:2025 - Security Logging and Monitoring Failures
    • A10:2025 - Server-Side Request Forgery (SSRF)

    CI/CD Integration

    Use CodeSlick CLI in your CI/CD pipeline with JSON output mode.

    GitHub Actions

    name: Security Scan
on: [push, pull_request]

jobs:
  codeslick:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: 18
      - run: npx codeslick-cli scan --json > results.json
      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: codeslick-results
          path: results.json

    GitLab CI

    codeslick:
  image: node:18
  script:
    - npx codeslick-cli scan --json > results.json
  artifacts:
    when: always
    paths:
      - results.json

    Jenkins

    pipeline {
  agent any
  stages {
    stage('Security Scan') {
      steps {
        sh 'npx codeslick-cli scan --json > results.json'
      }
    }
  }
  post {
    always {
      archiveArtifacts artifacts: 'results.json'
    }
  }
}

    Skipping the Pre-commit Hook

    If you need to commit without scanning (not recommended):

    git commit --no-verify -m "Emergency hotfix"

    Or temporarily disable:

    rm .git/hooks/pre-commit
# Make your commits
codeslick init --force  # Re-install hook

    Troubleshooting

    "Not a git repository" error

    Problem: Running codeslick init in a non-git directory.

    Solution: Initialize git first:

    git init
codeslick init

    "No staged files found" error

    Problem: Running codeslick scan --staged with no staged files.

    Solution: Stage files first:

    git add <files>
codeslick scan --staged

    Pre-commit hook not running

    Problem: Hook installed but not executing.

    Solution: Ensure hook is executable (Unix):

    chmod +x .git/hooks/pre-commit

    Solution: Re-install hook:

    codeslick init --force

    "EACCES: permission denied" error on macOS/Linux

    Problem: Permission denied when installing globally:

    npm error code EACCES
npm error syscall mkdir
npm error path /usr/local/lib/node_modules/codeslick-cli

    ✅ Solution 1 - Use npx (Recommended - No installation needed):

    npx codeslick-cli --help
npx codeslick-cli init
npx codeslick-cli scan

    Solution 2 - Fix npm permissions (Best long-term):

    mkdir ~/.npm-global
npm config set prefix '~/.npm-global'
echo 'export PATH=~/.npm-global/bin:$PATH' >> ~/.zshrc
source ~/.zshrc
npm install -g codeslick-cli

    Solution 3 - Use sudo (Not recommended):

    sudo npm install -g codeslick-cli

    "Command not found: codeslick" error

    Problem: CLI not installed globally or not in PATH.

    Solution: Install globally:

    npm install -g codeslick-cli

    Solution: Use npx (no install required):

    npx codeslick-cli init
npx codeslick-cli scan

    Slow scanning performance

    Problem: Scanning takes >5s for small projects.

    Solution: Exclude unnecessary directories:

    codeslick config set exclude "node_modules/**,dist/**,coverage/**"

    Too many false positives

    Problem: Legitimate code flagged as vulnerable.

    Solution: Adjust severity threshold:

    codeslick config set severity high  # Only block HIGH+ issues

    Solution: Exclude specific files:

    codeslick config set exclude "test/**,migrations/**"

    Performance

    Typical scan times on a 2020 MacBook Pro:

    Files Languages Time
    10 Mixed <3s
    50 Mixed <10s
    100 Mixed <20s
    500 Mixed <60s

    Comparison with Alternatives

    Tool Local Scanning Pre-commit Hook Offline Languages OWASP 2025
    CodeSlick CLI 4 95%
    Snyk CLI ❌ (API required) Many Partial
    SonarLint CLI Many Partial
    Semgrep Many Partial
    ESLint JS/TS only No

    Contributing

    We welcome contributions! Please see CONTRIBUTING.md for guidelines.

    License

    MIT License - see LICENSE for details.

    Support

    Roadmap

    v1.1 (Q2 2026)

    • Auto-fix support (--fix flag)
    • Custom rule configuration
    • IDE integration (VS Code extension)

    v1.2 (Q3 2026)

    • SBOM generation
    • SARIF output format
    • Team collaboration features

    Made with ❤️ by CodeSlick https://codeslick.dev