JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 53
  • Score
    100M100P100Q59900F
  • License MIT

CLI tool for HIPAA compliance scanning and reporting

Package Exports

  • verification-layer

Readme

vlayer - HIPAA Compliance Scanner

Automated security scanning for healthcare applications. Detect PHI exposure, fix vulnerabilities, and generate audit-ready compliance reports.

CI npm version License Node

What is vlayer?

vlayer is a CLI tool that scans your codebase for HIPAA compliance issues. It's designed for healthcare startups and developers building applications that handle Protected Health Information (PHI).

Key capabilities:

  • Scan for 50+ security vulnerabilities and PHI exposure patterns
  • Auto-fix common issues with one command
  • Generate professional audit reports (HTML, PDF, JSON)
  • Detect your tech stack and provide tailored recommendations
  • Create cryptographic audit trails for compliance documentation
  • Professional suppression system with inline comments and justifications
  • Baseline support to focus on new findings while tracking existing issues
  • Confidence levels for progressive strictness adoption

Quick Start

# Install
npm install
npm run build

# Scan a project
node dist/cli.js scan /path/to/your/project

# Generate HTML report
node dist/cli.js scan /path/to/project -f html -o report.html

# Auto-fix issues
node dist/cli.js scan /path/to/project --fix

# Generate audit PDF
node dist/cli.js audit /path/to/project --generate-report

Suppression & Baseline

Inline Suppressions

Suppress specific findings with inline comments (justification required):

// vlayer-ignore phi-ssn-hardcoded -- Test data for unit tests
const testSSN = "123-45-6789";

Baseline for Existing Codebases

Generate a baseline to track existing findings without blocking progress:

# Generate baseline from current state
node dist/cli.js baseline . -o .vlayer-baseline.json

# Scan with baseline (only NEW findings cause failures)
node dist/cli.js scan . --baseline .vlayer-baseline.json

Confidence Levels

Filter findings by confidence level for progressive adoption:

# Only fail on high-confidence findings
node dist/cli.js scan . --min-confidence high

Features

1. Vulnerability Detection

Scans for 50+ security patterns across 5 HIPAA compliance categories:

Category What it detects
PHI Exposure SSN/MRN in code, PHI in logs, localStorage, URLs
Encryption Weak crypto (MD5, DES), disabled SSL/TLS, HTTP URLs
Access Control SQL injection, XSS, CORS wildcards, hardcoded credentials
Audit Logging Missing logging framework, unlogged PHI operations
Data Retention Bulk deletes without audit, missing retention policies
View all detection patterns

PHI Exposure (18 patterns)

  • Social Security Numbers (XXX-XX-XXXX)
  • Medical Record Numbers (MRN patterns)
  • Date of Birth handling
  • Diagnosis codes (ICD-10)
  • PHI in console.log statements
  • PHI in localStorage/sessionStorage
  • Patient data in URLs
  • Unencrypted patient contact info

Security Vulnerabilities (20+ patterns)

  • Hardcoded passwords and secrets
  • API keys (generic, Stripe, AWS)
  • Database URIs with credentials
  • SQL injection (template literals & concatenation)
  • innerHTML without sanitization
  • eval() and Function constructor
  • dangerouslySetInnerHTML in React

Infrastructure Issues

  • HTTP URLs for PHI transmission
  • Disabled SSL/TLS verification
  • CORS wildcard origins
  • Sessions without expiration
  • Missing authentication checks

2. Auto-Fix (--fix)

Automatically remediate common vulnerabilities:

node dist/cli.js scan ./my-app --fix
Issue Auto-Fix Applied
SQL injection Convert to parameterized query query('SELECT * FROM users WHERE id = ?', [id])
Hardcoded password Replace with process.env.PASSWORD
Hardcoded API key Replace with process.env.API_KEY
HTTP URL Upgrade to HTTPS
innerHTML Replace with textContent
PHI in console.log Comment out with review marker

Example output:

✔ Scan complete. Found 29 issues.
✔ Applied 8 automatic fixes.

Changes by file:
  src/api/users.ts
    Line 45: SQL injection → parameterized query
    Line 89: Hardcoded password → process.env.DB_PASSWORD
  src/utils/logger.ts
    Line 12: PHI in console.log → commented out

3. Stack Detection

vlayer automatically detects your tech stack and provides personalized code examples:

Stack detected:
  Framework: Next.js
  Database: Supabase
  Auth: Supabase Auth

Supported technologies:

Type Detected
Frameworks Next.js, React, Vue, Nuxt, Angular, Express, Fastify, NestJS
Databases Supabase, Firebase, PostgreSQL, MySQL, MongoDB, Prisma, Drizzle
Auth NextAuth, Supabase Auth, Firebase Auth, Auth0, Clerk, Passport

Stack-specific recommendations include:

  • Next.js + Supabase: Server Components for PHI, Row Level Security (RLS), middleware protection
  • Express + PostgreSQL: express-session with Redis, parameterized queries
  • React + Firebase: Firestore Security Rules, Admin SDK for PHI

4. Remediation Guides

Each finding includes a detailed remediation guide with:

  • HIPAA Impact: Why this matters for compliance
  • Multiple fix options: Different approaches with trade-offs
  • Code examples: Copy-paste ready solutions
  • Documentation links: Official resources

The guides are personalized to your stack - if you're using Supabase, you'll see Supabase-specific code examples, not generic SQL.

5. Audit Trail & PDF Reports

Generate compliance documentation with cryptographic verification:

# Run scan with fixes (creates audit trail)
node dist/cli.js scan ./my-app --fix

# Generate PDF report
node dist/cli.js audit ./my-app --generate-report --org "Healthcare Inc" --auditor "Jane Smith"

Audit trail includes:

For Auto-Fixed Issues For Manual Review Items
Code before & after Status: "Pending human review"
SHA256 file hashes Assigned responsible party
Timestamp of change Suggested deadline by severity
HIPAA reference resolved Full finding details

PDF Report sections:

  1. Cover Page - Project info, scan statistics
  2. Executive Summary - Remediation rate, risk breakdown
  3. Fix Evidence - Cryptographic proof of each change
  4. Manual Reviews - Pending items with deadlines
  5. Verification Page - Report hash, signature fields

Report Examples

HTML Report

The HTML report includes:

  • Summary cards with severity counts
  • Stack detection section with tailored recommendations
  • Each finding with code context and line highlighting
  • Expandable remediation guides with code examples
  • Auto-fixable badge on issues that can be fixed automatically

JSON Report

Machine-readable format for CI/CD integration:

{
  "summary": {
    "total": 29,
    "critical": 8,
    "high": 12,
    "medium": 6,
    "low": 3
  },
  "stack": {
    "framework": "nextjs",
    "database": "supabase",
    "auth": "supabase-auth"
  },
  "findings": [...]
}

Configuration

Create .vlayerrc.json in your project root:

{
  "exclude": ["**/*.test.ts", "**/__mocks__/**"],
  "ignorePaths": ["sample-data", "fixtures"],
  "safeHttpDomains": ["my-internal-cdn.com"],
  "contextLines": 3,
  "categories": ["phi-exposure", "encryption", "access-control"]
}
Option Description Default
exclude Glob patterns to skip []
ignorePaths Path substrings to ignore []
safeHttpDomains HTTP domains to allow (CDNs) Built-in list
contextLines Lines of context in reports 2
categories Categories to scan All

CLI Reference

# Basic scan
vlayer scan <path>

# Scan options
vlayer scan <path> -f html -o report.html    # HTML report
vlayer scan <path> -f markdown -o report.md  # Markdown report
vlayer scan <path> -c phi-exposure encryption # Specific categories
vlayer scan <path> --fix                      # Auto-fix issues

# Audit commands
vlayer audit <path> --summary                 # View audit summary
vlayer audit <path> --generate-report         # Generate PDF
vlayer audit <path> --generate-report --text  # Generate text instead
vlayer audit <path> --generate-report --org "Company" --auditor "Name"

Exit codes:

  • 0 - No critical issues
  • 1 - Critical issues found (useful for CI/CD)

HIPAA References

Each finding maps to specific HIPAA regulations:

Reference Requirement
§164.502, §164.514 PHI disclosure and de-identification
§164.312(a)(1) Access control mechanisms
§164.312(a)(2)(iv) Encryption and decryption
§164.312(b) Audit controls
§164.312(d) Person or entity authentication
§164.312(e)(1) Transmission security
§164.530(j) Documentation retention (6 years)

Roadmap

Coming Soon

  • GitHub Action for CI/CD integration
  • Automated npm releases with semantic-release
  • Dependabot for dependency updates
  • VS Code extension with inline warnings
  • Slack/Teams notifications for new findings
  • Custom rule definitions (YAML)

Planned

  • HITRUST CSF mapping
  • SOC 2 compliance checks
  • AWS/GCP/Azure infrastructure scanning
  • Team dashboard with trend tracking
  • Jira/Linear integration for issue tracking

Future

  • AI-powered fix suggestions
  • Dependency vulnerability scanning
  • Runtime PHI detection agent
  • Compliance certification workflows

Contributing

Contributions are welcome! Please read our contributing guidelines before submitting PRs.

# Development
npm install
npm run dev      # Watch mode
npm run test     # Run tests
npm run lint     # Lint code

License

MIT License - see LICENSE for details.

Built for healthcare developers who take compliance seriously.
Report Bug · Request Feature