{"id":47278879,"url":"https://github.com/ayaxsoft/route-auditor","last_synced_at":"2026-04-02T16:10:11.184Z","repository":{"id":344324240,"uuid":"1179392908","full_name":"ayaxsoft/route-auditor","owner":"ayaxsoft","description":"CLI to audit routes in Next.js apps","archived":false,"fork":false,"pushed_at":"2026-03-22T13:36:16.000Z","size":2889,"stargazers_count":6,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-23T04:58:21.085Z","etag":null,"topics":["audit","cli","nextjs","route-checker","routes"],"latest_commit_sha":null,"homepage":"https://route-auditor.vercel.app","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ayaxsoft.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-03-12T01:33:10.000Z","updated_at":"2026-03-22T15:09:21.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/ayaxsoft/route-auditor","commit_stats":null,"previous_names":["ayaxsoft/route-auditor"],"tags_count":13,"template":false,"template_full_name":null,"purl":"pkg:github/ayaxsoft/route-auditor","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ayaxsoft%2Froute-auditor","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ayaxsoft%2Froute-auditor/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ayaxsoft%2Froute-auditor/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ayaxsoft%2Froute-auditor/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ayaxsoft","download_url":"https://codeload.github.com/ayaxsoft/route-auditor/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ayaxsoft%2Froute-auditor/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31309671,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-02T12:59:32.332Z","status":"ssl_error","status_checked_at":"2026-04-02T12:54:48.875Z","response_time":89,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["audit","cli","nextjs","route-checker","routes"],"created_at":"2026-03-15T20:58:39.895Z","updated_at":"2026-04-02T16:10:11.177Z","avatar_url":"https://github.com/ayaxsoft.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# \u003cimg src=\"packages/web/public/logo.svg\" alt=\"route-auditor logo\" width=\"28\" height=\"28\" style=\"vertical-align: text-bottom\" /\u003e route-auditor\n\nCatch security issues in your Next.js routes before they reach production.\n\nScans App Router, Pages Router, and API Routes — detecting missing authentication, CSRF gaps, permissive CORS, hardcoded secrets, and more. Stack-aware: fix suggestions are tailored to your detected auth library, validation library, and rate-limiting solution.\n\n## Quick Start\n\n```bash\nnpx @route-auditor/cli audit .\n```\n\n```\n⚡ route-auditor\nAudit Next.js routes for security issues.\n\n  [HIGH] Unprotected API Route  ·  3 routes\n         OWASP A01:2021 – Broken Access Control\n\n         → /api/users          app/api/users/route.ts\n         → /api/posts/[id]     app/api/posts/[id]/route.ts\n\n         Fix: Use getServerSession(authOptions) to verify the session.  (low effort)\n\n  85 / 100  Good\n  █████████████████████████████████░░░░░░░\n\n  3 vulnerabilities across 34 routes in 0.0s\n```\n\n## Commands\n\n| Command         | Description                                         |\n| --------------- | --------------------------------------------------- |\n| `audit [dir]`   | Scan a Next.js project for security vulnerabilities |\n| `rules [dir]`   | List all rules with their enabled/disabled status   |\n| `rules disable` | Interactively select rules to disable               |\n| `rules enable`  | Interactively select rules to enable                |\n| `init`          | Generate a `route-auditor.config.json` config file  |\n| `report \u003cfile\u003e` | Re-render a saved JSON audit in any output format   |\n\n## Audit Options\n\n| Option                   | Description                                               | Default   |\n| ------------------------ | --------------------------------------------------------- | --------- |\n| `-o, --output \u003cformat\u003e`  | Output format: `console`, `json`, `sarif`                 | `console` |\n| `-s, --severity \u003clevel\u003e` | Minimum severity: `critical` `high` `medium` `low` `info` | `info`    |\n| `--fail-on \u003clevel\u003e`      | Exit with code 1 if issues at this severity or higher     | —         |\n| `--file \u003cpath\u003e`          | Write output to file instead of stdout                    | —         |\n| `--config \u003cpath\u003e`        | Path to `route-auditor.config.json`                       | —         |\n| `-w, --watch`            | Watch for file changes and re-run the audit               | —         |\n\n## Rules\n\n| ID                | Name                         | Severity | Description                                               |\n| ----------------- | ---------------------------- | -------- | --------------------------------------------------------- |\n| `RW-AUTH-001`     | Unprotected API Route        | high     | API route with no auth check                              |\n| `RW-AUTH-002`     | Missing CSRF Protection      | high     | Server Action with no CSRF guard                          |\n| `RW-AUTH-003`     | Unprotected Sensitive Page   | medium   | Admin/dashboard page with no auth check                   |\n| `RW-CORS-001`     | Permissive CORS Policy       | high     | Wildcard `Access-Control-Allow-Origin: *`                 |\n| `RW-ENV-001`      | Exposed Environment Variable | high     | Sensitive env var leaked in a response                    |\n| `RW-WEBHOOK-001`  | Missing Webhook Verification | high     | Webhook route with no signature verification              |\n| `RW-PATH-001`     | Path Traversal               | high     | Filesystem operation using unvalidated user input         |\n| `RW-SECRET-001`   | Hardcoded Secret             | critical | API key or secret hardcoded in source code                |\n| `RW-RATE-001`     | Missing Rate Limiting        | medium   | API route with no rate-limit (high on auth endpoints)     |\n| `RW-INPUT-001`    | Missing Input Validation     | medium   | POST/PUT route that parses body without schema validation |\n| `RW-REDIRECT-001` | Open Redirect                | medium   | `redirect()` called with unvalidated user-supplied URL    |\n| `RW-COOKIE-001`   | Insecure Cookie              | medium   | Cookie set without `HttpOnly`, `Secure`, or `SameSite`    |\n\n## CI Integration\n\n### GitHub Action\n\nAdd to `.github/workflows/route-auditor.yml` in your repository:\n\n```yaml\nname: Route Auditor\n\non:\n  push:\n    branches: [main]\n  pull_request:\n\njobs:\n  audit:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - uses: ayaxsoft/route-auditor@v1\n        with:\n          fail-on: high\n```\n\nThe action automatically posts audit results as a PR comment and updates it on each push.\n\n#### With SARIF upload (GitHub Code Scanning)\n\n```yaml\nsteps:\n  - uses: actions/checkout@v4\n  - uses: ayaxsoft/route-auditor@v1\n    with:\n      sarif-file: results.sarif\n      fail-on: high\n  - uses: github/codeql-action/upload-sarif@v3\n    if: always()\n    with:\n      sarif_file: results.sarif\n```\n\n#### Action inputs\n\n| Input        | Description                                         | Default  |\n| ------------ | --------------------------------------------------- | -------- |\n| `directory`  | Path to the Next.js project to audit                | `.`      |\n| `severity`   | Minimum severity to report                          | `info`   |\n| `fail-on`    | Fail if issues at this severity or higher are found | —        |\n| `sarif-file` | Write SARIF output to this file path                | —        |\n| `config`     | Path to `route-auditor.config.json`                 | —        |\n| `version`    | Version of `@route-auditor/cli` to use              | `latest` |\n\n### CLI\n\n```bash\n# Fail the pipeline if any high or critical vulnerabilities are found\nroute-auditor audit . --fail-on high\n\n# Export a SARIF report for GitHub Code Scanning\nroute-auditor audit . --output sarif --file results.sarif\n```\n\n## Configuration\n\nRun `route-auditor init` to generate a config file, or create `route-auditor.config.json` manually:\n\n```json\n{\n  \"severity\": \"medium\",\n  \"failOn\": \"high\",\n  \"rules\": {\n    \"RW-RATE-001\": false\n  },\n  \"ignore\": [\"/api/health\", \"/api/public/*\", \"/api/internal/**\"]\n}\n```\n\nAll rules are enabled by default. Set a rule to `false` to disable it, or use `route-auditor rules disable` to manage rules interactively.\n\n## Contributing\n\n```bash\ngit clone https://github.com/ayaxsoft/route-auditor\ncd route-auditor\npnpm install\npnpm build\n```\n\nRun locally:\n\n```bash\nnode packages/cli/dist/index.js audit /path/to/your/nextjs-project\n```\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fayaxsoft%2Froute-auditor","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fayaxsoft%2Froute-auditor","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fayaxsoft%2Froute-auditor/lists"}