This is a defensive security tool. It finds, explains, prioritizes, and helps fix vulnerabilities in code and applications you own or are explicitly authorized to test.
- Static analysis is read-only. The category hunters and scanners read your code; they never execute it.
- Live/dynamic testing requires explicit authorization.
/sec:dynamicrefuses to send a single request unlesssecurity/sec.config.jsoncontains anauthorizationblock whoseallowedOriginscover the target — enforced in code (scripts/authz.mjs), not just prompts. Probes are non-destructive (GET-first, canary reflection only, no fuzzing; nucleiintrusive/fuzz/dostags excluded). - Cloud reads are opt-in and read-only.
/sec:nhi --cloudinherits your existing CLI sessions and only ever issuesget/list/describecalls; the plugin never stores cloud credentials. It is account-allowlisted. - The fixer never weakens a control to silence a finding, and pauses for human review on any
patch touching authentication or cryptography.
/sec:rotateonly plans a rotation; it never rotates a live secret.
Proof-of-concept evidence is generated only as far as needed to confirm a finding — never weaponized exploits, never against third-party systems.
fixtures/vuln-app/ is a deliberately vulnerable application used to measure the tool's
recall and false-positive rate. It contains intentional, non-functional planted secrets —
specifically AWS's documented example credentials (AKIAIOSFODNN7EXAMPLE /
wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY), which GitHub and secret scanners recognize as fakes.
There are no real credentials anywhere in this repository. Do not deploy the fixture app.
If you find a security issue in the plugin itself, please open a GitHub issue (for a non-sensitive report) or contact the maintainer privately for anything exploitable. There is no bug bounty; this is an open-source project.