JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 776
  • Score
    100M100P100Q97448F
  • License MIT

AI security scanner for vibe-coded apps. Find vulnerabilities before attackers do.

Package Exports

    This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (xploitscan) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

    Readme

    xploitscan

    AI security scanner for vibe-coded apps. Find vulnerabilities before attackers do.

    Built for solo devs and non-technical founders shipping AI-generated code via Cursor, Lovable, Bolt, Replit, and Claude Code.

    Quick Start

    npx xploitscan scan .

    That's it. No config needed.

    What It Catches

    Rule Vulnerability Severity
    VC001 Hardcoded API keys & secrets (AWS, Stripe, OpenAI, Supabase, DB URLs) Critical
    VC002 .env files with secrets committed to git High
    VC003 API routes missing authentication High
    VC004 Supabase service_role key in client code / RLS bypass Critical
    VC005 Stripe webhooks without signature verification Critical
    VC006 SQL injection via string interpolation Critical
    VC007 XSS (dangerouslySetInnerHTML, innerHTML, v-html) High
    VC008 Server without rate limiting Medium
    VC009 Wildcard CORS configuration Medium
    VC010 Client-side only authorization checks High

    Plus AI-powered contextual analysis that catches issues static rules miss.

    Installation

    # Run directly (no install)
npx xploitscan scan .

# Or install globally
npm install -g xploitscan
xploitscan scan .

    Usage

    # Scan current directory
xploitscan scan .

# Scan a specific directory
xploitscan scan ./my-project

# Skip AI analysis (faster, no API key needed)
xploitscan scan . --no-ai

# JSON output (for CI pipelines)
xploitscan scan . --format json

# SARIF output (for GitHub Code Scanning)
xploitscan scan . --format sarif

# Verbose output (show per-scanner results)
xploitscan scan . -v

    AI-Powered Analysis

    Set your Anthropic API key for deeper, contextual vulnerability analysis:

    export ANTHROPIC_API_KEY=sk-ant-...
xploitscan scan .

    The AI analyzer understands your code in context and explains vulnerabilities in plain English with specific fix instructions.

    CI Integration

    GitHub Actions

    name: Security Scan
on: [push, pull_request]

jobs:
  xploitscan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: xploitscan/action@v1
        with:
          anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}

    Results appear in the GitHub Security tab.

    Any CI

    npx xploitscan scan . --format sarif --no-ai > results.sarif

    Exit code is 1 when critical or high severity issues are found.

    Configuration

    Create a .xploitscanrc.json in your project root:

    {
  "exclude": ["tests/**", "scripts/**"],
  "ai": true,
  "severity": "medium",
  "disableRules": ["VC008"]
}

    Optional: Deeper Scanning

    Install these tools for additional detection coverage:

    # Semgrep - 2000+ community security rules
pip install semgrep

# Gitleaks - advanced secret detection
brew install gitleaks

    XploitScan automatically uses them if available.

    Auth & Pro Plan

    # Log in to sync scan history
xploitscan auth login

# Check your plan
xploitscan auth whoami

# Upgrade to Pro ($29/mo) for unlimited scans
xploitscan upgrade

    Free plan: 3 scans/day. Pro: unlimited scans, scan history, team features.

    License

    MIT