Package Exports
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (xploitscan) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
XploitScan
Security scanner for AI-generated code. Find vulnerabilities before attackers do.
Built for developers shipping code via Cursor, Lovable, Bolt, Replit, and Claude Code. 158 security rules. Plain-English results. Copy-paste fixes.
Quick Start
npx xploitscan scan .No install, no config, no account required. Your code stays 100% local.
What It Catches
158 rules across 15+ categories:
| Category | Examples | Rules |
|---|---|---|
| Secrets | Hardcoded API keys, .env files, OAuth secrets, Terraform state | 15+ |
| Injection | SQL, XSS, SSRF, command injection, path traversal, XXE, SSTI | 20+ |
| Authentication | Missing auth, weak JWT, insecure password reset, OAuth flaws | 15+ |
| Cryptography | Weak RSA, deprecated TLS, ECB mode, hardcoded IVs | 10+ |
| Infrastructure | Dockerfile, Kubernetes, Terraform, AWS IAM misconfigs | 10+ |
| Supply Chain | Unpinned GitHub Actions, vulnerable dependencies | 5+ |
| Information Leakage | PII in logs, unencrypted DB fields, exposed admin routes | 10+ |
| Code Quality | Console.log in production, empty catch blocks, TODO/FIXME | 10+ |
Every finding includes OWASP Top 10 and CWE compliance mappings.
Installation
# Run directly (recommended — always latest version)
npx xploitscan scan .
# Or install globally
npm install -g xploitscan
xploitscan scan .Usage
# Scan current directory
npx xploitscan scan .
# Scan a specific folder
npx xploitscan scan ./src
# JSON output (for scripting/CI)
npx xploitscan scan . --format json
# SARIF output (for GitHub Security tab)
npx xploitscan scan . --format sarif
# Scan only changed files vs main branch
npx xploitscan scan . --diff
# Watch mode — re-scan on file changes
npx xploitscan scan . --watchOutput Formats
| Format | Use Case |
|---|---|
text |
Human-readable terminal output (default) |
json |
Machine-readable JSON with all findings |
sarif |
GitHub Security tab integration |
GitHub Action
Add automated scanning to every PR:
name: Security Scan
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run XploitScan
uses: bgage72590/xploitscan@main
with:
path: '.'
format: 'sarif'
fail-on: 'critical'
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: xploitscan-results.sarifFindings appear in the GitHub Security tab as code scanning alerts.
Configuration
Create a .xploitscanrc file in your project root:
{
"rules": {
"include": ["VC001-VC131"],
"exclude": ["VC042"]
},
"format": "json",
"fail-on": "high",
"ignore": ["node_modules", "dist", ".git"]
}Web Dashboard
Scan via the web at xploitscan.com:
- Drag-and-drop file/ZIP upload
- GitHub URL scanning
- Scan history and score trends
- PDF security reports
- SOC2/ISO27001 compliance mapping
- Slack and Discord webhook notifications
Free: 5 scans/day, 30 core rules. Pro ($29/mo): unlimited scans, all 158 rules, and all dashboard features. Team ($99/mo): everything in Pro plus 5 seats, shared scan history, RBAC, and portfolio reports. Annual plans save 20%.
Supported Languages
JavaScript, TypeScript, Python, Ruby, Go, Rust, Java, PHP, Swift, Kotlin, C#, Dart, C/C++, and configuration files (Dockerfile, Terraform, Kubernetes, GitHub Actions, .env).
Links
- Website: xploitscan.com
- Documentation: xploitscan.com/docs
- Changelog: xploitscan.com/changelog
- Email: admin@xploitscan.com
License
MIT -- Cipherline LLC