Package Exports
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (nicefox-secu) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
NiceFox Secu
AI-powered security review for web developers. Find vulnerabilities, fix them in your code, verify the fixes — all in one session.
Zero security experience needed. Works with any AI coding agent: Claude Code, Codex, opencode, Cursor, Kimi, aider...
Based on the AIDA methodology.
Quick Start
1. Run NiceFox Secu
From your project directory:
npx nicefox-secuOn first run, this builds the security toolkit (~1GB Docker image, takes ~2-3 min once).
2. Start the Security Review
Open your AI coding agent and paste:
Read ~/.nicefox/REVIEW.md and start the security reviewThe AI will:
- Auto-detect your framework, target URL, and environment (dev/prod)
- Ask you to confirm — one question instead of a setup wizard
- Review your app (recon, endpoint mapping, vulnerability testing)
- Fix each vulnerability directly in your source code
- Verify each fix by re-testing
- Print a summary of what was found and fixed
What You Need
- Docker — https://docs.docker.com/get-docker/
- An AI coding agent — Claude Code, Codex, opencode, Cursor, Kimi, aider...
That's it.
Example
$ cd ~/projects/my-express-api
$ npx nicefox-secu
NiceFox Secu
AI-powered security review for web developers
✓ Docker is running
✓ Security toolkit image ready
✓ Toolkit container running
✓ Prompt installed
Ready! Open your AI coding agent from your project directory and paste:
Read ~/.nicefox/REVIEW.md and start the security review
$ claude # or opencode, cursor, codex, aider...
> Read ~/.nicefox/REVIEW.md and start the security review
AI: Detected: Express.js project, target http://localhost:3000, dev mode.
Start the security review? (Y/n)
You: Y
AI: [scanning, testing, fixing...]
AI: Found VULN-001: SQL Injection in POST /api/search (CRITICAL)
Fixing src/routes/search.js — parameterized query...
Fix verified.
AI: Found VULN-002: Missing rate limiting on POST /api/login (MEDIUM)
Fixing src/routes/auth.js — adding express-rate-limit...
Fix verified.
AI: Assessment complete.
2 vulnerabilities found, 2 fixed, 0 require manual attention.Environment Modes
Development (auto-detected when target is localhost):
- Aggressive scanning, all exploitation techniques allowed
- AI edits your source code directly to fix vulnerabilities
- Full tool suite
Production (auto-detected when target is a real domain):
- Non-destructive tests only, rate limits respected
- AI documents recommended fixes but does NOT edit code
- Extra caution on risky tests
Included Tools
The security toolkit Docker image ships with:
| Category | Tools |
|---|---|
| Recon | nmap, subfinder |
| Vuln scanning | nuclei |
| Web discovery | ffuf |
| Parameters | arjun |
| SQL injection | sqlmap |
| XSS | dalfox |
| API testing | httpie, curl |
| JWT | jwt_tool |
| Brute force | hydra |
| Wordlists | SecLists (Discovery, Fuzzing, Passwords) |
Safety
- Always test against a dev/staging environment first
- Never test production systems without explicit authorization
- Backup your code before running (or just use git — you do use git, right?)
- The AI will not modify production code — it only documents fixes in prod mode
Troubleshooting
Rebuild the toolkit image
docker rm -f nicefox-tools # Remove container
docker rmi nicefox-tools # Remove image
npx nicefox-secu # Rebuilds from scratchTools not responding
docker exec nicefox-tools nmap --version # Test a tool manuallymacOS / Windows networking
If tools can't reach your local app, the AI will automatically use host.docker.internal instead of localhost — this is handled in the prompt.
License
MIT — Use at your own risk. Only test systems you own or have explicit permission to test.
Credits
Based on AIDA (AI-Driven Security Assessment), simplified for web developers.