JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 140
  • Score
    100M100P100Q79146F
  • License Apache-2.0

Agentic security scanner for code repos — analyst + primary + secondary agent pipeline over OpenRouter / OpenAI / Anthropic models, with a live Ink terminal UI.

Package Exports

    This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (probus) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

    Readme

    probus

    Open-source AI vulnerability scanner powered by open models.

    License Node CI

    Probus scanning a repo

    Probus started as an internal supply chain security scanning tool that proved itself extremely efficient by finding vulnerabilities in top open source packages (e.g. n8n, AI sdk, langraphjs and more). It is now open-source to help developers better secure their codebase & supply chain. Probus' edge lies in its ability to scale its scanning capabilities with open models (by using OpenRouter).

    What it does

    Probus harnesses 3 agents that:

    • [Analyst] Analyze the codebase and pick key files for deep scanning (e.g. entry points, third-party surface, dangerous sinks).
    • [Researcher] Scan each file, dig through its chains of calls, and write raw findings (potential vulnerabilities).
    • [QA] Independently verify each finding, make sure it has a real attack vector, and write a report.

    Quick start

    npm install -g probus
probus scan ./my-app

    Model providers

    Probus runs most (cost) effectively with open models using OpenRouter. It is still possible however to use other providers, such as OpenAI or Anthropic, albeit with higher costs.

    Usage

    probus scan <repo-path> [--effort low|medium|high] [--primaryModel slug] [--secondaryModel slug] [--provider openai|openrouter|anthropic]
probus view <repo-path>

    Commands

    Command What it does
    scan Full pipeline: analyst → research → qa.
    view Skip straight to the report browser for a previously-scanned repo.

    --effort

    Controls how many files the analyst targets:

    Effort Files (approx)
    low (default) 50
    medium 100
    high 500

    --primaryModel / --secondaryModel

    Pass models as <provider>/<model> slugs via --primaryModel and --secondaryModel:

    probus scan ./app --effort medium \
  --primaryModel anthropic/claude-sonnet-4.6 \
  --secondaryModel anthropic/claude-opus-4.7

    Defaults are picked from whichever *_API_KEY env var is set (precedence: OPENROUTER_API_KEYOPENAI_API_KEYANTHROPIC_API_KEY); use --provider to override when multiple keys are present.

    Provider Primary default Secondary default
    openrouter openrouter/qwen/qwen3.6-plus openrouter/deepseek/deepseek-v4-pro
    openai openai/gpt-5.4-mini openai/gpt-5.4
    anthropic anthropic/claude-sonnet-4-6 anthropic/claude-opus-4-7

    Cost

    Probus splits work between two models so you only pay premium rates where it matters:

    • Primary (~90% of tokens) — runs on every file. Pick something cheap and fast: qwen3.6, gpt-5.4-mini, sonnet-4.6.
    • Secondary (~10% of tokens) — verifies findings. Pick something smarter: deepseek-v4-pro, gpt-5.4, opus-4.7.

    Each file consumes roughly 1M input tokens. Approximate per-file cost by provider:

    Provider Cost / file vs. open models
    openrouter (open models) ~$0.50 1× (baseline)
    openai ~$1.25 ~2.5×
    anthropic ~$5.00 ~10×

    Contributing

    PRs welcome. See CONTRIBUTING.md for dev setup, scripts, and conventions.

    Development

    Local dev

    git clone https://github.com/ItayRosen/Probus
cd probus
nvm use && npm install
export OPENROUTER_API_KEY=sk-or-v1-...
npm run dev -- scan ../some-repo

    Architecture

    ┌────────────┐   files[]   ┌──────────────┐  findings[]  ┌───────────┐
│  Analyst   │────────────▶│   Primary    │─────────────▶│ Secondary │
│  (1 call)  │             │  (per file)  │              │ (per file)│
└────────────┘             └──────────────┘              └─────┬─────┘
                                                               │
                                                               ▼
                                                       reports/*.md

    All three run as isolated query() sessions through the Claude Agent SDK, each with its own filesystem sandbox scoped to the repo being scanned.

    Output layout

    output/<repo-slug>/
├── analysis.json           # file list picked by the analyst
├── findings/
│   └── src__foo__bar.ts.json   # per-file findings (verified + unverified)
├── reports/
│   └── src__foo__bar.ts--1.md  # one Markdown report per verified finding
├── debug/
│   └── src__foo__bar.ts.log    # full agent transcript per file
└── processed-files.txt     # cache so reruns skip finished files

    <repo-slug> is <basename>-<sha1(abspath)[:8]> so the same repo never collides with another.

    License

    Apache 2.0 — see LICENSE.