Code Security Scanner

Scan code repositories for malicious behavior: data theft, backdoors, code injection, supply-chain attacks, and sensitive file access. Optimized for TypeScript/JavaScript/Node.js but applicable to general codebases.

Security Auditor Mindset

Before scanning, think like an attacker:

• Motivation: What valuable data exists in this project? (API keys, user data, financial info, cloud credentials)
• Attack Surface: What are the entry points? (npm install lifecycle, runtime execution, build pipeline, CI/CD)
• Stealth: How would an attacker hide malicious code? (obfuscation, delayed execution via setTimeout, legitimate-looking variable names, deeply nested dependencies)
• Exfil Path: How would stolen data leave? (HTTP POST, DNS queries, WebSocket, embedded in error logs, encoded in image metadata)

Ask yourself: "If I were a malicious actor with commit access or supply-chain control, where would I hide code and how would I avoid detection?"

Severity Triage Principle

Not all findings are equal. Prioritize by blast radius × stealth: