codeprobe-scanner 1.0.9 → 1.0.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +159 -6
  2. package/package.json +1 -1
package/README.md CHANGED
@@ -1,15 +1,168 @@
1
- # codeprobe
1
+ # CodeProbe
2
2
 
3
- To install dependencies:
3
+ Automated vulnerability scanner for Node.js projects. Scans your `package.json` dependencies against live security databases, verifies exploits in isolated sandboxes, generates AI patches, and shows you what's trending in npm security right now.
4
+
5
+ ```
6
+ npx codeprobe-scanner scan .
7
+ ```
8
+
9
+ ---
10
+
11
+ ## What it does
12
+
13
+ 1. **Scans your dependencies** — reads `package.json` and checks every package against [OSV.dev](https://osv.dev) (the same database behind `npm audit`)
14
+ 2. **Verifies exploits** — spins up isolated [Daytona](https://daytona.io) sandboxes to confirm whether a CVE is actually exploitable in your version, not just theoretical
15
+ 3. **Generates patches** — uses Kimi AI to produce a version-bump diff for exploitable vulnerabilities
16
+ 4. **Shows recent threats** — pulls the latest npm security advisories from GitHub's Advisory Database so you can see what attacks are trending
17
+
18
+ ---
19
+
20
+ ## Install
21
+
22
+ ```bash
23
+ npm install -g codeprobe-scanner
24
+ ```
25
+
26
+ Or run without installing:
27
+
28
+ ```bash
29
+ npx codeprobe-scanner scan .
30
+ ```
31
+
32
+ Requires [Bun](https://bun.sh) — installed automatically if not present.
33
+
34
+ ---
35
+
36
+ ## Usage
37
+
38
+ ### Scan a project
4
39
 
5
40
  ```bash
6
- bun install
41
+ codeprobe scan .
42
+ codeprobe scan ./my-app
7
43
  ```
8
44
 
9
- To run:
45
+ Output:
46
+
47
+ ```
48
+ ⚡ CodeProbe v1.0.0
49
+ 📦 Parsing dependencies...
50
+ Found 11 dependencies
51
+ 🔍 Checking OSV.dev + npm advisory database...
52
+ Found 3 CVEs
53
+ 🎯 Matching dependencies to CVEs...
54
+
55
+ SCAN COMPLETE
56
+ Risk Score: 6.4/10 (MEDIUM)
57
+
58
+ CVE Details:
59
+ CVE-2024-39338: axios 1.6.5 [HIGH] ~ Theoretical Risk
60
+ CVE-2023-45133: babel 7.22.0 [CRITICAL] ✓ CONFIRMED EXPLOITABLE
61
+ ...
62
+
63
+ 🌐 Recent npm Security Threats:
64
+ HIGH esbuild: Missing binary integrity verification enables RCE
65
+ HIGH Budibase: Auth bypass on webhook schema endpoint
66
+ ...
67
+ ```
68
+
69
+ ### Scan and auto-fix
10
70
 
11
71
  ```bash
12
- bun run index.ts
72
+ codeprobe scan . --fix
13
73
  ```
14
74
 
15
- This project was created using `bun init` in bun v1.3.14. [Bun](https://bun.com) is a fast all-in-one JavaScript runtime.
75
+ Walks you through each vulnerability interactively. For each one you approve, it:
76
+ - Updates the version in `package.json`
77
+ - Creates a git branch (`codeprobe-security-fixes-<timestamp>`)
78
+ - Commits and pushes
79
+ - Opens a pull request via GitHub CLI
80
+
81
+ ### Other commands
82
+
83
+ ```bash
84
+ codeprobe report # show last scan results again
85
+ codeprobe scan . --json # JSON output (for CI pipelines)
86
+ codeprobe scan . --verbose # detailed logs
87
+ codeprobe config get # show stored config
88
+ ```
89
+
90
+ ---
91
+
92
+ ## Configuration
93
+
94
+ No API keys are required for basic scanning — OSV.dev and the GitHub Advisory Database are free public APIs.
95
+
96
+ For exploit verification and AI patch generation, configure optional keys once:
97
+
98
+ ```bash
99
+ codeprobe config set daytona_api_key <key> # sandbox exploit verification
100
+ codeprobe config set kimi_api_key <key> # AI patch generation
101
+ codeprobe config set nosana_api_key <key> # backup LLM for patches
102
+ ```
103
+
104
+ Keys are stored encrypted at `~/.codeprobe/config.json`. You can also pass them as environment variables:
105
+
106
+ ```bash
107
+ DAYTONA_API_KEY=xxx KIMI_API_KEY=xxx codeprobe scan .
108
+ ```
109
+
110
+ | Key | Where to get it | What it enables |
111
+ |-----|----------------|-----------------|
112
+ | `DAYTONA_API_KEY` | [daytona.io](https://daytona.io) | Confirms if CVEs are truly exploitable |
113
+ | `KIMI_API_KEY` | [aimlapi.com](https://aimlapi.com) | AI-generated patch diffs |
114
+ | `NOSANA_API_KEY` | [nosana.io](https://nosana.io) | Backup LLM for patches |
115
+
116
+ ---
117
+
118
+ ## CI / GitHub Actions
119
+
120
+ ```yaml
121
+ - name: Security scan
122
+ run: npx codeprobe-scanner scan . --json > security-report.json
123
+
124
+ - name: Fail on exploitable CVEs
125
+ run: npx codeprobe-scanner scan .
126
+ # exits with code 1 if exploitable CVEs found
127
+ ```
128
+
129
+ ---
130
+
131
+ ## Exit codes
132
+
133
+ | Code | Meaning |
134
+ |------|---------|
135
+ | `0` | No vulnerabilities found |
136
+ | `1` | Vulnerabilities found |
137
+ | `2` | Scan error |
138
+
139
+ ---
140
+
141
+ ## How it works
142
+
143
+ ```
144
+ package.json
145
+
146
+
147
+ Parse deps (reads your dependencies + exact versions)
148
+
149
+
150
+ OSV.dev query (exact version match — no false positives)
151
+
152
+
153
+ Daytona sandbox (runs the exploit in isolation to confirm)
154
+
155
+
156
+ Kimi / Nosana (generates a patch diff via AI)
157
+
158
+
159
+ Report + PR (shows results, optionally opens a fix PR)
160
+ ```
161
+
162
+ No source code is sent to any external service. Only package names and versions are used for lookups.
163
+
164
+ ---
165
+
166
+ ## License
167
+
168
+ MIT
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "codeprobe-scanner",
3
- "version": "1.0.9",
3
+ "version": "1.0.10",
4
4
  "description": "Automated vulnerability scanner with exploit verification and video evidence",
5
5
  "type": "module",
6
6
  "bin": {