Skip to content

krikera/secure-npm

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
bin
bin
 
 
data
data
 
 
lib
lib
 
 
test-project
test-project
 
 
test
test
 
 
.gitignore
.gitignore
 
 
.npmignore
.npmignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 

Repository files navigation

SECURE-NPM

🛡️ Protect your Node.js projects with advanced security scanning and AI-powered package recommendations

SECURE-NPM helps you identify and fix security vulnerabilities in your Node.js dependencies with intelligent suggestions for safer alternatives.

SECURE-NPM Node.js License

Why SECURE-NPM?

  • More than just npm audit: Goes beyond basic vulnerability detection
  • AI-powered recommendations: Get smart suggestions for safer alternatives
  • Multiple report formats: Easy-to-read security reports (Markdown, HTML, JSON)
  • Auto-fix capabilities: Automatically update vulnerable packages
  • Zero-cost option: Works completely offline with no API keys required

Quick Start

Installation

# Install globally (recommended)
npm install -g secure-npm

# Run a basic scan
secure-npm scan

Basic Usage

# Scan with free local AI suggestions
secure-npm scan --ai

# Automatically fix vulnerabilities
secure-npm scan --fix

# Generate a security report
secure-npm scan --report

# All features combined
secure-npm scan --ai --fix --report

Features

🔍 Advanced Vulnerability Detection

SECURE-NPM scans your project using multiple detection methods:

  • Direct vulnerabilities in your dependencies
  • Transitive vulnerabilities in the dependency tree
  • Security advisories from the npm registry

🤖 AI-Powered Recommendations

Three levels of AI suggestions to fit your needs:

  1. Free & Offline (--ai flag)

    • Built-in database of 200+ packages with known safer alternatives
    • No API keys or internet connection required
    • Instant recommendations based on vulnerability patterns

  2. Cost-Effective (--huggingface flag)

    • Uses Hugging Face Mistral 7B for enhanced recommendations
    • Only ~$0.0005/1K tokens (70% cheaper than GPT-3.5)
    • Free tier available with generous rate limits

  3. Enterprise-Grade (--openai flag)

    • Leverages OpenAI for most detailed security analysis
    • Provides migration guidance and breaking change considerations
    • Ideal for mission-critical applications

📊 Comprehensive Reports

# Generate a markdown report (default)
secure-npm scan --report

# Generate an HTML report
secure-npm scan --report --output html

# Generate a JSON report for programmatic use
secure-npm scan --report --output json

🔧 Auto-Fix Capabilities

# Automatically upgrade vulnerable packages
secure-npm scan --fix

Command Options

Option Description
--ai Enable free offline AI suggestions
--huggingface Use Hugging Face AI (requires token)
--openai Use OpenAI (requires API key)
--fix Auto-fix vulnerabilities when possible
--report Generate a security report
--output <format> Report format: markdown, html, or json
--verbose Show detailed debug information

Using AI-Powered Features

Setting API Keys

For Hugging Face or OpenAI integration, set your API keys as environment variables:

Linux/macOS:

export HUGGINGFACE_API_TOKEN="your-token-here"
# or
export OPENAI_API_KEY="your-key-here"

Windows:

set HUGGINGFACE_API_TOKEN=your-token-here
# or
$env:HUGGINGFACE_API_TOKEN="your-token-here"  # PowerShell

Getting API Keys

CI/CD Integration

Add SECURE-NPM to your GitHub Actions workflow:

name: Security Check

on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: '18'
      - run: npm install -g secure-npm
      - run: secure-npm scan --ai --report --output json

Example Output

Running a scan produces helpful output like this:

📦 Scanning project for vulnerabilities...
🔍 Running npm audit...

📊 SECURE-NPM SCAN RESULTS
══════════════════════════════════

Vulnerability Summary:
Total vulnerable packages: 2
Total vulnerabilities: 3
  Critical: 1
  High: 1
  Moderate: 1
  Low: 0

Vulnerable Packages:

► lodash (critical)
  - Prototype Pollution in lodash
    Recommendation: Update to 4.17.21
  AI Suggestion:
    The prototype pollution vulnerability allows attackers to modify
    properties of the global Object prototype, potentially leading to
    application crashes or remote code execution.

    Alternatives:
      - radash: Smaller bundle size, modern API, fewer vulnerabilities
      - remeda: Functional programming utilities with TypeScript support

► marked (high)
  - Regular Expression Denial of Service
    Recommendation: Update to 15.0.0
  AI Suggestion:
    This ReDoS vulnerability could allow attackers to cause excessive
    CPU consumption, leading to denial of service.

    Alternatives:
      - markdown-it: More secure markdown parser with plugin system
      - remark: Extensible markdown processor with strong security focus

Action Recommended:
Run 'secure-npm scan --fix' to automatically fix vulnerabilities.

License

MIT License - see the LICENSE file for details.

About

Security scanner for Node.js projects with AI-powered vulnerability detection and package recommendations

www.npmjs.com/package/secure-npm

Topics

nodejs cli npm security vulnerability-scanners dependency-checker ai-powered package-security

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages