Package Exports

verification-layer

Readme

vlayer - HIPAA Compliance Scanner

Automated security scanning for healthcare applications. Detect PHI exposure, fix vulnerabilities, and generate audit-ready compliance reports.

What is vlayer?

vlayer is a CLI tool that scans your codebase for HIPAA compliance issues. It's designed for healthcare startups and developers building applications that handle Protected Health Information (PHI).

Key capabilities:

Scan for 50+ security vulnerabilities and PHI exposure patterns
AI Agent Skills scanner - First HIPAA-focused scanner for SKILL.md files (Claude Code, MCP, Cursor)
AI-powered analysis with Claude API for complex violations and false positive reduction
Auto-fix common issues with one command
Generate professional audit reports (HTML, PDF, JSON)
Detect your tech stack and provide tailored recommendations
Create cryptographic audit trails for compliance documentation
Professional suppression system with inline comments and justifications
Baseline support to focus on new findings while tracking existing issues
Confidence levels for progressive strictness adoption

Quick Start

# Install
npm install
npm run build

# Scan a project
node dist/cli.js scan /path/to/your/project

# Generate HTML report
node dist/cli.js scan /path/to/project -f html -o report.html

# Auto-fix issues
node dist/cli.js scan /path/to/project --fix

# Check compliance score
node dist/cli.js score /path/to/project

# Generate auditor-ready report
node dist/cli.js report /path/to/project -o audit-report.html

# Scan AI Agent Skills (NEW!)
node dist/cli.js skill-scan ~/Downloads/patient-lookup.SKILL.md

🛡️ AI Agent Skills Security Scanner

vlayer is the first HIPAA-focused security scanner for AI Agent Skills.

Protect your healthcare environment from malicious skills before installation:

# Scan before installing any skill
vlayer skill-scan ~/Downloads/patient-exporter.SKILL.md

# Scan all skills in directory
vlayer skill-scan ~/.claw/skills/

# CI/CD integration
vlayer skill-scan ./custom-skills/ || exit 1

The Problem

36.82% of AI Agent Skills have security flaws (Snyk, Feb 2026)
341 malicious skills distribute Atomic Stealer malware
283 skills expose credentials in plaintext
Zero existing scanners have HIPAA-specific rules

What It Detects

✅ PHI exposure (SSN, MRN, DOB in examples)
✅ Hardcoded credentials (API keys, passwords)
✅ Malicious patterns (reverse shells, data exfiltration)
✅ HIPAA violations (HTTP transmission, no audit logging)

Example Output

🚨 Critical: 7  |  ⚠️ High: 14  |  ⚡ Medium: 1

Issues:
  PHI Exposure: 8
  Credential Leaks: 1
  Data Exfiltration: 1

❌ DO NOT INSTALL THIS SKILL
   Critical HIPAA violations detected.

📖 Full Documentation

🌐 VLayer Ecosystem

Dashboard: https://app.vlayer.app - Compliance monitoring platform Playground: https://play.vlayer.app - Try vlayer in your browser Documentation: https://docs.vlayer.app - Complete guides and API reference Landing Page: https://vlayer.app - Marketing site

Enterprise-grade HIPAA compliance monitoring platform for tracking violations, compliance scores, and generating audit reports.

Design

Professional Enterprise UI:

🎨 Dark Navy Theme - Professional color palette (#0A1628, #0F172A) with emerald/teal accents
📐 Fixed Sidebar Navigation - Icon-based menu with VLayer branding and system status
💎 Glassmorphism Effects - Gradient cards with subtle shadows and transparency
🎯 Circular Progress Gauges - Animated SVG gauges for compliance scores (0-100)
🏷️ Status Badges - Color-coded indicators (Compliant/At Risk/Critical)
⚡ Smooth Transitions - Hover effects and state changes with professional animations

Features

🔐 Supabase Authentication - Secure email/password authentication with session management
📊 Visual Compliance Dashboard - 4-metric overview with real-time scores and status distribution
📈 Historical Score Tracking - Interactive charts showing compliance trends over time
🗂️ Multi-Project Management - Monitor unlimited projects with inline progress indicators
🔍 Detailed Findings View - Filter by severity with comprehensive issue breakdowns
📋 Executive Summaries - Professional reports with grade assignments (A-F)
🎨 Enterprise Tables - Sortable project lists with circular scores and status badges
📱 Responsive Design - Optimized for desktop, tablet, and mobile devices
👤 User Management - User profiles with logout functionality in sidebar

Quick Start

Create Account: Sign up at app.vlayer.app/signup with your email
Login: Access the dashboard at app.vlayer.app
Create Project: Click "+ New Project" and enter your project details

Run Scan: Execute a compliance scan on your codebase

node dist/cli.js scan ./src --format json --output scan.json

Upload Results: Send scan data to your project via API

curl -X POST https://app.vlayer.app/api/projects/{projectId}/scans \
  -H "Content-Type: application/json" \
  -d @scan.json

Demo Data

The dashboard includes 4 demo projects with realistic compliance data:

HealthCare Portal - 92/100 (Grade A - Excellent)
Telemedicine API - 78/100 (Grade C - Fair)
Insurance Claims System - 56/100 (Grade F - Critical)
Mobile Health App - 95/100 (Grade A - Excellent)

API & Documentation

See dashboard/README.md for complete API documentation and deployment instructions.

🆕 Compliance Score & Dashboard

HIPAA Compliance Score (0-100)

VLayer calculates a compliance score based on findings weighted by severity and confidence:

# Calculate compliance score
node dist/cli.js score ./src

# Output as JSON
node dist/cli.js score ./src -f json

Scoring System:

🔴 Critical: -10 points each
🟠 High: -5 points each
🟡 Medium: -2 points each
🔵 Low: -1 point each
✅ Acknowledged findings: 25% penalty reduction

Grading:

A (90-100): Excellent compliance posture
B (80-89): Good compliance
C (70-79): Fair compliance
D (60-69): Poor compliance
F (<60): Critical - requires immediate attention

Auditor-Ready Reports

Generate professional compliance reports with SHA256 hash verification:

# Basic auditor report
node dist/cli.js report ./src

# Full-featured report
node dist/cli.js report ./src \
  -o compliance-report.html \
  --org "HealthTech Inc" \
  --period "Q1 2024" \
  --auditor "John Doe" \
  --include-baseline

Report Features:

📊 Compliance score with visual gauge (green/yellow/red)
📈 Executive summary with key metrics
📋 Findings table with filtering by severity
🔒 Suppression and acknowledgment audit trails
📄 Baseline comparison (if enabled)
🔐 SHA256 hash for document integrity
🖨️ Print-friendly CSS for PDF export

🆕 IDE & Developer Experience

VS Code Extension

Get real-time HIPAA compliance feedback directly in your editor:

# Install from the vscode-extension directory
cd vscode-extension
npm install
npm run compile

Features:

✅ Real-time scanning on file save
✅ Inline diagnostics with severity markers
✅ Hover tooltips with HIPAA references and recommendations
✅ Quick-fix actions for auto-remediation
✅ Status bar compliance score
✅ Commands: "VLayer: Scan Current File", "VLayer: Scan Workspace"

Configuration:

{
  "vlayer.enableAutoScan": true,
  "vlayer.minConfidence": "low",
  "vlayer.showStatusBar": true,
  "vlayer.configPath": ".vlayerrc.json"
}

Watch Mode

Continuous monitoring with real-time feedback:

# Watch a directory for changes
node dist/cli.js watch ./src

# Watch with specific categories
node dist/cli.js watch ./src --categories phi-exposure encryption

# Watch with custom config
node dist/cli.js watch ./src --config .vlayerrc.json

Features:

🔍 Automatic scan on file save/create
🎨 Colored terminal output by severity
📊 Diff tracking (new findings vs. previous scan)
🚨 Alerts for new critical/high severity findings
⚡ Smart file filtering (excludes node_modules, dist, etc.)

Suppression & Baseline

Inline Suppressions

Suppress specific findings with inline comments (justification required):

// vlayer-ignore phi-ssn-hardcoded -- Test data for unit tests
const testSSN = "123-45-6789";

Baseline for Existing Codebases

Generate a baseline to track existing findings without blocking progress:

# Generate baseline from current state
node dist/cli.js baseline . -o .vlayer-baseline.json

# Scan with baseline (only NEW findings cause failures)
node dist/cli.js scan . --baseline .vlayer-baseline.json

Confidence Levels

Filter findings by confidence level for progressive adoption:

# Only fail on high-confidence findings
node dist/cli.js scan . --min-confidence high

Features

1. Vulnerability Detection

Scans for 50+ security patterns across 5 HIPAA compliance categories:

Category	What it detects
PHI Exposure	SSN/MRN in code, PHI in logs, localStorage, URLs
Encryption	Weak crypto (MD5, DES), disabled SSL/TLS, HTTP URLs
Access Control	SQL injection, XSS, CORS wildcards, hardcoded credentials
Audit Logging	Missing logging framework, unlogged PHI operations
Data Retention	Bulk deletes without audit, missing retention policies

View all detection patterns

PHI Exposure (18 patterns)

Social Security Numbers (XXX-XX-XXXX)
Medical Record Numbers (MRN patterns)
Date of Birth handling
Diagnosis codes (ICD-10)
PHI in console.log statements
PHI in localStorage/sessionStorage
Patient data in URLs
Unencrypted patient contact info

Security Vulnerabilities (20+ patterns)

Hardcoded passwords and secrets
API keys (generic, Stripe, AWS)
Database URIs with credentials
SQL injection (template literals & concatenation)
innerHTML without sanitization
eval() and Function constructor
dangerouslySetInnerHTML in React

Infrastructure Issues

HTTP URLs for PHI transmission
Disabled SSL/TLS verification
CORS wildcard origins
Sessions without expiration
Missing authentication checks

2. Auto-Fix (`--fix`)

Automatically remediate common vulnerabilities:

node dist/cli.js scan ./my-app --fix

Issue	Auto-Fix Applied
SQL injection	Convert to parameterized query `query('SELECT * FROM users WHERE id = ?', [id])`
Hardcoded password	Replace with `process.env.PASSWORD`
Hardcoded API key	Replace with `process.env.API_KEY`
HTTP URL	Upgrade to HTTPS
innerHTML	Replace with `textContent`
PHI in console.log	Comment out with review marker

Example output:

✔ Scan complete. Found 29 issues.
✔ Applied 8 automatic fixes.

Changes by file:
  src/api/users.ts
    Line 45: SQL injection → parameterized query
    Line 89: Hardcoded password → process.env.DB_PASSWORD
  src/utils/logger.ts
    Line 12: PHI in console.log → commented out

3. Stack Detection

vlayer automatically detects your tech stack and provides personalized code examples:

Stack detected:
  Framework: Next.js
  Database: Supabase
  Auth: Supabase Auth

Supported technologies:

Type	Detected
Frameworks	Next.js, React, Vue, Nuxt, Angular, Express, Fastify, NestJS
Databases	Supabase, Firebase, PostgreSQL, MySQL, MongoDB, Prisma, Drizzle
Auth	NextAuth, Supabase Auth, Firebase Auth, Auth0, Clerk, Passport

Stack-specific recommendations include:

Next.js + Supabase: Server Components for PHI, Row Level Security (RLS), middleware protection
Express + PostgreSQL: express-session with Redis, parameterized queries
React + Firebase: Firestore Security Rules, Admin SDK for PHI

4. Remediation Guides

Each finding includes a detailed remediation guide with:

HIPAA Impact: Why this matters for compliance
Multiple fix options: Different approaches with trade-offs
Code examples: Copy-paste ready solutions
Documentation links: Official resources

The guides are personalized to your stack - if you're using Supabase, you'll see Supabase-specific code examples, not generic SQL.

5. Audit Trail & PDF Reports

Generate compliance documentation with cryptographic verification:

# Run scan with fixes (creates audit trail)
node dist/cli.js scan ./my-app --fix

# Generate PDF report
node dist/cli.js audit ./my-app --generate-report --org "Healthcare Inc" --auditor "Jane Smith"

Audit trail includes:

For Auto-Fixed Issues	For Manual Review Items
Code before & after	Status: "Pending human review"
SHA256 file hashes	Assigned responsible party
Timestamp of change	Suggested deadline by severity
HIPAA reference resolved	Full finding details

PDF Report sections:

Cover Page - Project info, scan statistics
Executive Summary - Remediation rate, risk breakdown
Fix Evidence - Cryptographic proof of each change
Manual Reviews - Pending items with deadlines
Verification Page - Report hash, signature fields

6. AI-Powered Scanning (Beta)

Reduce false positives and catch complex violations with Claude AI.

vlayer now includes optional AI-powered analysis using Anthropic's Claude API:

Features

🤖 LLM-Powered Rules: 6 specialized AI rules for detecting complex HIPAA violations
🎯 AI Triage: Automatically classify findings to reduce false positives by 50%+
🔒 PHI Scrubbing: All code is sanitized before sending to the LLM (HIPAA-safe)
💰 Cost Control: Budget limits, caching, and rate limiting built-in
📊 Confidence Scores: AI provides reasoning and confidence for each finding

Quick Start

# Set your API key
export ANTHROPIC_API_KEY="sk-ant-..."

# Run AI-powered scan (default: 50¢ budget)
node dist/cli.js ai-scan ./my-app

# Adjust budget
node dist/cli.js ai-scan ./my-app --budget 100

# Run LLM rules only (skip triage)
node dist/cli.js ai-scan ./my-app --rules-only

# Enable AI triage in regular scan
node dist/cli.js scan ./my-app  # AI triage runs automatically if API key is set

# Disable AI features
node dist/cli.js scan ./my-app --no-ai

AI Rules

The AI scanner includes 6 specialized rules:

Rule ID	Name	Detects
HIPAA-PHI-003	Minimum Necessary Access	APIs returning more PHI than needed (SELECT * violations)
HIPAA-SEC-001	PHI Encryption	Unencrypted PHI in transit or at rest
HIPAA-ACCESS-001	Role-Based Access Control	Missing auth checks, hardcoded roles, IDOR vulnerabilities
HIPAA-AUDIT-001	Audit Logging	PHI operations without proper audit trails
HIPAA-RETENTION-001	Data Retention	Improper deletion, missing retention policies
HIPAA-AUTH-001	Session Management	Weak session configs, missing timeouts

Configuration

Add AI settings to .vlayerrc.json:

{
  "ai": {
    "enabled": true,
    "enableTriage": true,
    "enableLLMRules": true,
    "filterFalsePositives": true,
    "budgetCents": 50
  }
}

Cost & Performance

Typical scan: 5-20 API calls, $0.10-$0.50
Caching: Results cached for 24 hours by file hash
Rate limiting: Max 20 calls/minute, 50 calls/scan
PHI protection: All sensitive data scrubbed before API call

Example output:

🤖 Starting AI-powered HIPAA scan...
🔒 Scrubbed 3 PHI patterns from src/api/patients.ts
📋 Running 6 LLM-powered rules...
✅ AI scan complete: 12 findings, 48¢

AI Scan Summary:
  Files scanned: 8
  AI findings: 12
  AI calls made: 18
  Cost: 48¢
  Critical: 2
  High: 5

Report Examples

HTML Report

The HTML report includes:

Summary cards with severity counts
Stack detection section with tailored recommendations
Each finding with code context and line highlighting
Expandable remediation guides with code examples
Auto-fixable badge on issues that can be fixed automatically

JSON Report

Machine-readable format for CI/CD integration:

{
  "summary": {
    "total": 29,
    "critical": 8,
    "high": 12,
    "medium": 6,
    "low": 3
  },
  "stack": {
    "framework": "nextjs",
    "database": "supabase",
    "auth": "supabase-auth"
  },
  "findings": [...]
}

Configuration

Create .vlayerrc.json in your project root:

{
  "exclude": ["**/*.test.ts", "**/__mocks__/**"],
  "ignorePaths": ["sample-data", "fixtures"],
  "safeHttpDomains": ["my-internal-cdn.com"],
  "contextLines": 3,
  "categories": ["phi-exposure", "encryption", "access-control"]
}

Option	Description	Default
`exclude`	Glob patterns to skip	`[]`
`ignorePaths`	Path substrings to ignore	`[]`
`safeHttpDomains`	HTTP domains to allow (CDNs)	Built-in list
`contextLines`	Lines of context in reports	`2`
`categories`	Categories to scan	All

CLI Reference

# Basic scan
vlayer scan <path>

# Scan options
vlayer scan <path> -f html -o report.html    # HTML report
vlayer scan <path> -f markdown -o report.md  # Markdown report
vlayer scan <path> -c phi-exposure encryption # Specific categories
vlayer scan <path> --fix                      # Auto-fix issues

# Watch mode
vlayer watch <path>                           # Watch for changes
vlayer watch <path> -c phi-exposure          # Watch specific categories
vlayer watch <path> --config .vlayerrc.json  # Watch with custom config
vlayer watch <path> --min-confidence high    # Watch with confidence filter

# Audit commands
vlayer audit <path> --summary                 # View audit summary
vlayer audit <path> --generate-report         # Generate PDF
vlayer audit <path> --generate-report --text  # Generate text instead
vlayer audit <path> --generate-report --org "Company" --auditor "Name"

# Baseline commands
vlayer baseline <path>                        # Generate baseline
vlayer baseline <path> -o custom.json         # Custom output path
vlayer scan <path> --baseline .vlayer-baseline.json  # Scan with baseline

# Compliance score
vlayer score <path>                           # Calculate compliance score
vlayer score <path> -f json                   # JSON output
vlayer score <path> --baseline baseline.json  # Score with baseline

# Auditor reports
vlayer report <path>                          # Generate auditor report
vlayer report <path> -o report.html           # Custom output path
vlayer report <path> --org "Company Name"     # Set organization
vlayer report <path> --include-baseline       # Include baseline comparison

Exit codes:

0 - No critical issues
1 - Critical issues found (useful for CI/CD)

HIPAA References

Each finding maps to specific HIPAA regulations:

Reference	Requirement
§164.502, §164.514	PHI disclosure and de-identification
§164.312(a)(1)	Access control mechanisms
§164.312(a)(2)(iv)	Encryption and decryption
§164.312(b)	Audit controls
§164.312(d)	Person or entity authentication
§164.312(e)(1)	Transmission security
§164.530(j)	Documentation retention (6 years)

Roadmap

Recently Completed ✅

Phase 4E: Authentication & User Management
- Supabase Auth integration
- Email/password authentication flow
- Login and signup pages with dark theme
- Protected routes via Next.js middleware
- User session management
- User profile display in sidebar
- Logout functionality
- Environment variables configured in Vercel
Phase 4D: Custom Domain Configuration
- Configured custom domains on vlayer.app
- Dashboard: app.vlayer.app
- Playground: play.vlayer.app
- Documentation: docs.vlayer.app
- Landing page: vlayer.app
- Automatic DNS configuration via Vercel
- SSL/TLS certificates provisioned for all domains
- Updated all cross-project links
Phase 4C: Dashboard Consolidation
- Moved landing page to separate repo (vlayer-website)
- Dashboard now at root route (/) instead of /dashboard
- Simplified route structure (/, /projects, /projects/[id])
- Removed route groups for cleaner app organization
- Dashboard-focused application architecture
Phase 4A: Web Dashboard (Enterprise Redesign)
- Next.js dashboard deployed to Vercel
- Enterprise-grade dark navy theme with emerald accents
- Fixed sidebar navigation with VLayer branding
- Circular progress gauges with animations
- Multi-project management with REST API
- Status badges (Compliant/At Risk/Critical)
- Historical score tracking with visual charts
- Demo data with 4 realistic projects
- Glassmorphism effects and professional shadows
- Responsive design optimized for all devices
Phase 3B: Dashboard & Compliance Score
- HIPAA Compliance Score (0-100) with severity weighting
- Enhanced HTML reports with visual gauge
- Auditor-ready reports with SHA256 hash
- Executive summary and filterable findings table
- Print-friendly CSS for PDF export
Phase 3A: IDE & Developer Experience
- VS Code Extension v2.0 with real-time scanning
- Watch mode for continuous monitoring
- Inline diagnostics with hover tooltips
- Quick-fix actions and status bar integration
Phase 2B: Enhanced Custom Rules
- Semantic awareness for custom rules
- Pattern-aware context detection
- Confidence level controls
Phase 2A: Semantic Context Analysis
- AST-based semantic analysis
- Context-aware confidence levels
- Test file detection
Phase 1B: Reusable GitHub Action
- GitHub Action for CI/CD integration
- Enhanced npm package
- Baseline and suppression systems

Coming Soon

Slack/Teams notifications for new findings
CLI integration with dashboard auto-upload
Database backend for dashboard (currently file-based)

Planned

HITRUST CSF mapping
SOC 2 compliance checks
AWS/GCP/Azure infrastructure scanning
Team dashboard with trend tracking
Jira/Linear integration for issue tracking

Future

AI-powered fix suggestions
Dependency vulnerability scanning
Runtime PHI detection agent
Compliance certification workflows

Contributing

Contributions are welcome! Please read our contributing guidelines before submitting PRs.

# Development
npm install
npm run dev      # Watch mode
npm run test     # Run tests
npm run lint     # Lint code

License

MIT License - see LICENSE for details.

Built for healthcare developers who take compliance seriously.
Report Bug · Request Feature

verification-layer

Package Exports

Readme

vlayer - HIPAA Compliance Scanner

What is vlayer?

Quick Start

🛡️ AI Agent Skills Security Scanner

The Problem

What It Detects

Example Output

🌐 VLayer Ecosystem

Design

Features

Quick Start

Demo Data

API & Documentation

🆕 Compliance Score & Dashboard

HIPAA Compliance Score (0-100)

Auditor-Ready Reports

🆕 IDE & Developer Experience

VS Code Extension

Watch Mode

Suppression & Baseline

Inline Suppressions

Baseline for Existing Codebases

Confidence Levels

Features

1. Vulnerability Detection

2. Auto-Fix (--fix)

3. Stack Detection

4. Remediation Guides

5. Audit Trail & PDF Reports

6. AI-Powered Scanning (Beta)

Features

Quick Start

AI Rules

Configuration

Cost & Performance

Report Examples

HTML Report

JSON Report

Configuration

CLI Reference

HIPAA References

Roadmap

Recently Completed ✅

Coming Soon

Planned

Future

Contributing

License

2. Auto-Fix (`--fix`)