Package Exports
- securascan
- securascan/cli.js
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (securascan) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
🛡️ SecuraScan
AI-powered security scanner that analyses codebases for OWASP Top 10 vulnerabilities using LLMs.
Quick Start
# Run directly with npx (no install needed)
npx securascan config --provider anthropic --model claude-haiku-4-5-20251001 --key sk-ant-xxx
npx securascan scan ./my-project --output report.json
# Or install globally
npm i -g securascan
securascan scan . --verboseFeatures
- 12 specialist security agents — secrets, SQLi, XSS, auth, injection, IDOR, misconfig, crypto, logging, PII logging, exception handling
- AI orchestrator — analyses your codebase and decides which agents to run
- Multi-provider — supports Anthropic, OpenAI, and Google Gemini
- Dual mode —
basic(fast, lightweight) oradvanced(deep analysis) - Rate limited — sequential execution, 1 LLM call at a time
- HTML reports — styled vulnerability report with risk scoring
Setup
Option 1: Environment variable
export ANTHROPIC_API_KEY=sk-ant-...
# or
export OPENAI_API_KEY=sk-...
# or
export GEMINI_API_KEY=AIzaSy...Option 2: Config command
securascan config --provider anthropic --model claude-haiku-4-5-20251001 --key sk-ant-xxxOption 3: .env file in your project
ANTHROPIC_API_KEY=sk-ant-...Usage
# Configure provider and model
securascan config --provider anthropic --model claude-haiku-4-5-20251001
# Scan a local directory
securascan scan .
# Advanced mode (deeper analysis)
securascan scan ./my-project --mode advanced
# Save JSON + HTML report
securascan scan . --output report.json
# Verbose output
securascan scan . --verbose
# Scan a GitHub repo
securascan scan-github https://github.com/owner/repo
# Scan a ZIP file
securascan scan-zip ./project.zip
# Check config
securascan statusCommands
| Command | Description |
|---|---|
config |
Configure provider, model, and API key |
scan <path> |
Scan a local directory |
scan-github <url> |
Scan a GitHub repository |
scan-zip <file> |
Scan a ZIP archive |
status |
Show current configuration |
help |
Show help message |
Options
| Flag | Description |
|---|---|
--provider <name> |
anthropic, openai, or gemini |
--model <name> |
Model name (e.g. claude-haiku-4-5-20251001, gpt-4o, gemini-2.0-flash) |
--key <key> |
API key (stored in local config) |
--mode <mode> |
basic (default) or advanced |
--output, -o <file> |
Save JSON + HTML report |
--html <file> |
Save HTML report only |
--json |
Output raw JSON to stdout |
--verbose, -v |
Show detailed progress |
How It Works
1. INGESTION → Reads and filters source files (max 40 files, 150KB)
2. ORCHESTRATOR → LLM analyses code, picks relevant agents (1 API call)
3. AGENTS → Each agent scans for specific vulnerabilities (1 call each, sequential)
4. REPORT → Aggregates findings, calculates risk score (0 API calls)
5. OUTPUT → Terminal summary + JSON + styled HTML reportTotal API calls: 1 (orchestrator) + N (agents selected) — typically 4-12 calls per scan.
Supported Providers
| Provider | Recommended Model | Cost |
|---|---|---|
| Anthropic | claude-haiku-4-5-20251001 |
Budget |
| Anthropic | claude-sonnet-4-20250514 |
Balanced |
| OpenAI | gpt-4o |
Balanced |
| Gemini | gemini-2.0-flash |
Free tier available |
License
MIT