Package Exports
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (xploitscan) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
XploitScan
Security scanner for AI-generated code. Find vulnerabilities before attackers do.
Built for developers shipping code via Cursor, Lovable, Bolt, Replit, and Claude Code. 206 security rules. Plain-English results. Copy-paste fixes.
Quick Start
npx xploitscan scan .No install, no config, no account required. Your code stays 100% local.
What It Catches
206 rules across 15+ categories:
| Category | Examples | Rules |
|---|---|---|
| Secrets | Hardcoded API keys, .env files, OAuth secrets, Terraform state | 15+ |
| Injection | SQL, XSS, SSRF, command injection, path traversal, XXE, SSTI | 20+ |
| Authentication | Missing auth, weak JWT, insecure password reset, OAuth flaws | 15+ |
| Cryptography | Weak RSA, deprecated TLS, ECB mode, hardcoded IVs | 10+ |
| Infrastructure | Dockerfile, Kubernetes, Terraform, AWS IAM misconfigs | 10+ |
| Supply Chain | Unpinned GitHub Actions, vulnerable dependencies | 5+ |
| Information Leakage | PII in logs, unencrypted DB fields, exposed admin routes | 10+ |
| Code Quality | Console.log in production, empty catch blocks, TODO/FIXME | 10+ |
Every finding includes OWASP Top 10 and CWE compliance mappings.
Detection Quality
Detection is scored publicly on a labeled fixture corpus that's refreshed on every commit. Current numbers live at xploitscan.com/benchmark:
- 100% precision (zero false positives) across 151 labeled fixtures covering 25+ vulnerability classes
- 80%+ recall on rules with active test coverage
- Side-by-side comparison with Semgrep (community rulesets) and Bearer on the same corpus
The scanner uses a two-layer architecture: a fast regex pre-filter for pattern-based rules (secrets, missing headers, container misconfigs), and a Babel-parsed AST layer with local taint tracking for data-flow rules (SSRF, prototype pollution, mass assignment, SSTI, command injection from user input). Recognized taint sources: Express / Fastify / Koa / Next.js App Router / Web Fetch API / AWS Lambda.
Methodology, fixture format, and reproducibility instructions: xploitscan.com/docs/detection-methodology.
Installation
# Run directly (recommended — always latest version)
npx xploitscan scan .
# Or install globally
npm install -g xploitscan
xploitscan scan .Usage
# Scan current directory
npx xploitscan scan .
# Scan a specific folder
npx xploitscan scan ./src
# JSON output (for scripting/CI)
npx xploitscan scan . --format json
# SARIF output (for GitHub Security tab)
npx xploitscan scan . --format sarif
# Scan only changed files vs main branch
npx xploitscan scan . --diff
# Watch mode — re-scan on file changes
npx xploitscan scan . --watchOutput Formats
| Format | Use Case |
|---|---|
text |
Human-readable terminal output (default) |
json |
Machine-readable JSON with all findings |
sarif |
GitHub Security tab integration |
GitHub Action
Add automated scanning to every PR:
name: Security Scan
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run XploitScan
uses: bgage72590/xploitscan@main
with:
path: '.'
format: 'sarif'
fail-on: 'critical'
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: xploitscan-results.sarifFindings appear in the GitHub Security tab as code scanning alerts.
Configuration
Create a .xploitscanrc file in your project root:
{
"rules": {
"include": ["VC001-VC131"],
"exclude": ["VC042"]
},
"format": "json",
"fail-on": "high",
"ignore": ["node_modules", "dist", ".git"]
}Web Dashboard
Scan via the web at xploitscan.com:
- Drag-and-drop file/ZIP upload
- GitHub URL scanning
- Scan history and score trends
- PDF security reports
- SOC2/ISO27001 compliance mapping
- Slack and Discord webhook notifications
Free: 5 scans/day, 30 core rules. Indie ($9/mo): 500 scans/month, all 206 rules, scan history. Pro ($19/mo): unlimited scans, all 206 rules, PDF reports, compliance mapping, webhooks, AI false-positive filter. Team ($99/mo): everything in Pro plus 5 seats, shared scan history, RBAC, and portfolio reports. Annual plans save 40%.
Supported Languages
JavaScript, TypeScript, Python, Ruby, Go, Rust, Java, PHP, Swift, Kotlin, C#, Dart, C/C++, and configuration files (Dockerfile, Terraform, Kubernetes, GitHub Actions, .env).
Links
- Website: xploitscan.com
- Documentation: xploitscan.com/docs
- Changelog: xploitscan.com/changelog
- Email: admin@xploitscan.com
License
MIT -- Cipherline LLC