Skip to content

trynullsec/nullsec-guard

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
skill
skill
 
 
src
src
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
tsconfig.json
tsconfig.json
 
 
vitest.config.ts
vitest.config.ts
 
 

Repository files navigation

nullsec-guard

Nullsec Guard finds security bugs in AI-generated code before you ship.

Run one command. Get vulnerabilities, risk scores, and fix prompts you can paste back into Cursor, Claude, or Codex.

Quick Start

npx nullsec-guard

That's it. No accounts, no cloud, no config needed.

Or install globally:

npm install -g nullsec-guard

Why This Exists

AI coding tools (Cursor, Claude, Codex, Copilot) generate code fast — but they also generate hardcoded secrets, vulnerable dependencies, SQL injection, missing auth checks, and prompt injection surfaces. Most developers using AI don't review every line. Nullsec Guard is the safety net: one command that catches the security issues AI introduces before they reach production.

Example Output

  nullsec-guard — security scanner for AI-generated code

  Path:   /Users/you/project
  Files:  47 scanned
  Time:   1.2s
  AI:     off (set ANTHROPIC_API_KEY to enable)

  Score 72/100  Grade C

  8 findings: 1 critical · 2 high · 3 medium · 2 low

  ─── Top Issues ───────────────────────────────────
  CRIT  Stripe Live Secret Key found in src/config.ts
        src/config.ts:12

  HIGH  Vulnerable dependency: lodash@4.17.20
        package-lock.json

  HIGH  SQL Injection via string concatenation
        src/db.ts:34

  ─── Next Steps ───────────────────────────────────
  → nullsec-guard --fix-prompts to get copy-paste fixes
  → Set ANTHROPIC_API_KEY for deeper AI analysis
  → nullsec-guard --sarif for GitHub Code Scanning

What It Detects

Category Details
Secrets 21+ patterns (AWS, Stripe, GitHub, OpenAI, Anthropic, private keys, connection strings, .env files) + Shannon entropy detection
Dependencies Known vulnerable versions (offline check) + OSV.dev API for CVEs. Reads package-lock.json, pnpm-lock.yaml, yarn.lock
Injection SQL injection, command injection, SSRF, path traversal, eval/Function
Auth & Access IDOR, missing ownership checks, session issues, JWT misuse, CORS misconfig
AI Security Prompt injection surfaces, unsafe LLM output rendering, unvalidated tool calls
Config CORS headers, CSP, cookie security, rate limiting
MCP Capability analysis for Model Context Protocol servers

CLI Options

Usage: nullsec-guard [path] [options]

Options:
  --json              Output JSON to stdout
  --markdown          Output markdown report file
  --sarif             Output SARIF for GitHub Code Scanning
  --fix-prompts       Output copy-paste fix prompts for AI
  --no-ai             Skip AI analysis (faster, no API key needed)
  --ci                CI mode: exit non-zero on findings
  --fail-on <level>   Minimum severity to fail on (low|medium|high|critical) [default: high]
  --output <file>     Write output to file
  --include <globs>   Only scan matching files (comma-separated)
  --exclude <globs>   Exclude matching files (comma-separated)
  --mcp               Force MCP server analysis
  --watch             (coming soon) Re-scan on file changes
  -V, --version       Output version
  -h, --help          Show help

CI Usage

npx nullsec-guard --ci --fail-on high

Exit codes:

  • 0 — no findings at or above the threshold
  • 1 — findings found at or above the threshold

GitHub Actions

name: Security Scan
on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
      - run: npx nullsec-guard --ci --fail-on high

      # Optional: upload SARIF to GitHub Code Scanning
      - run: npx nullsec-guard --sarif --output results.sarif
        if: always()
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif
        if: always()

Output Formats

JSON

npx nullsec-guard --json

Outputs a single JSON object with score, grade, findings, categoryScores, and metadata.

Markdown

npx nullsec-guard --markdown

Writes a nullsec-guard-report.md file in the scanned directory.

SARIF

npx nullsec-guard --sarif

Outputs SARIF 2.1.0 compatible with GitHub Code Scanning / upload-sarif.

Fix Prompts

npx nullsec-guard --fix-prompts

Outputs structured prompts you can paste into Claude, Cursor, or Codex to fix each issue.

AI Analysis (Optional)

Set ANTHROPIC_API_KEY to enable deeper AI-powered analysis. This sends code snippets to Claude for review beyond static patterns.

export ANTHROPIC_API_KEY=sk-ant-...
npx nullsec-guard

Without the key, all static checks still run. The --no-ai flag guarantees no API calls are made.

Privacy

  • Without AI: Fully local. No network calls except OSV.dev for dependency CVE lookup.
  • With AI: Code snippets are sent to Anthropic's API. Review their privacy policy if handling sensitive code.
  • No telemetry. No analytics. No accounts. No cloud.

Limitations

  • Static analysis only (no runtime/DAST). Can produce false positives.
  • Dependency scanning requires a lockfile for accurate version detection. Falls back to package.json ranges.
  • bun.lockb is a binary format and is not currently supported.
  • AI analysis requires an Anthropic API key and incurs API costs.
  • Does not scan binary files, images, or compiled artifacts.
  • Maximum scan depth: 10 directories, 200 files per run.

Roadmap

  • --watch mode (re-scan on save)
  • Custom rule definitions
  • Baseline/suppression file (ignore known findings)
  • bun.lockb support
  • HTML report output
  • VS Code extension

License

MIT

About

Security scanner for AI-generated code. Find vulnerabilities, get fix prompts, close the loop.

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages