Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.nometria.com/llms.txt

Use this file to discover all available pages before exploring further.

security-scanner is a static security scanner purpose-built for AI-generated web app code. AI builders like Lovable, Bolt, v0, and Cursor frequently produce code with hardcoded secrets, missing auth guards, SQL injection patterns, and CORS misconfigs. This scanner catches those before they hit production. Zero dependencies — pure Python stdlib.

GitHub

nometria/security-scanner

PyPI

security-scanner on PyPI

Install

pip install security-scanner

Usage

# Scan your project directory
security-scan ./my-app

# JSON output (for CI/CD)
security-scan ./my-app --format json

# Scan and fail on high-severity findings
security-scan ./my-app --fail-on high

# Scan a specific file
security-scan src/api/routes.py

What it detects

Secrets and credentials

PatternExample
Hardcoded API keysconst API_KEY = "sk-proj-..."
Hardcoded passwordspassword: "admin123"
Database connection stringspostgres://user:pass@host
AWS credentialsAWS_SECRET_ACCESS_KEY = "wJal..."
Private keysPEM blocks in source files

Authentication gaps

PatternRisk
Routes without auth middlewareAnyone can call your API
Admin endpoints without role checkPrivilege escalation
JWT verification skippedToken forgery
Missing CSRF protectionCross-site attacks

Injection vulnerabilities

PatternRisk
SQL string concatenationSQL injection
Unvalidated eval() / exec()Code injection
Path traversal patternsDirectory traversal
XSS via innerHTML with user inputCross-site scripting

Configuration issues

PatternRisk
CORS: * in productionAny origin can call your API
Missing security headersClickjacking, MIME sniffing
Debug mode enabledExposes stack traces
Insecure cookie flagsSession hijacking

Example output

Scanning ./my-app...

HIGH   src/api/users.js:47      Hardcoded API key detected
HIGH   src/routes/admin.js:12   Admin route without authentication
MEDIUM src/db/queries.js:23     SQL string concatenation (potential injection)
MEDIUM src/index.js:8           CORS configured to allow all origins
LOW    src/utils/debug.js:3     Debug logging enabled

5 findings: 2 high, 2 medium, 1 low

Use in CI/CD

# GitHub Actions example
- name: Security scan
  run: |
    pip install security-scanner
    security-scan . --format json --fail-on high > security-report.json
Run this scanner before migrating a vibe-coded app to production. AI builders often leave hardcoded API keys and missing auth guards that are safe during development but critical in production.