{"id":49207792,"url":"https://github.com/rayentr/ironward","last_synced_at":"2026-04-29T00:01:21.134Z","repository":{"id":353148392,"uuid":"1218179571","full_name":"rayentr/ironward","owner":"rayentr","description":"Security scanning for the vibe coding era — MCP server + CLI + GitHub Action. 9 tools, 665 secret patterns, 27 static rules. Four tools run fully offline, no API key.","archived":false,"fork":false,"pushed_at":"2026-04-23T22:26:09.000Z","size":375,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-24T20:33:11.790Z","etag":null,"topics":["claude-code","cursor","cve-scanner","mcp","model-context-protocol","osv","sast","secret-detection","security","static-analysis","typescript","vibe-coding","vulnerability-scanner"],"latest_commit_sha":null,"homepage":"https://www.npmjs.com/package/ironward","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rayentr.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-22T16:01:03.000Z","updated_at":"2026-04-23T22:26:12.000Z","dependencies_parsed_at":null,"dependency_job_id":"2396f9f0-4387-4799-ad3c-3521a99d79f8","html_url":"https://github.com/rayentr/ironward","commit_stats":null,"previous_names":["rayentr/ironward"],"tags_count":10,"template":false,"template_full_name":null,"purl":"pkg:github/rayentr/ironward","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rayentr%2Fironward","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rayentr%2Fironward/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rayentr%2Fironward/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rayentr%2Fironward/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rayentr","download_url":"https://codeload.github.com/rayentr/ironward/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rayentr%2Fironward/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32276628,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-25T18:29:39.964Z","status":"ssl_error","status_checked_at":"2026-04-25T18:29:32.149Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["claude-code","cursor","cve-scanner","mcp","model-context-protocol","osv","sast","secret-detection","security","static-analysis","typescript","vibe-coding","vulnerability-scanner"],"created_at":"2026-04-23T19:00:50.025Z","updated_at":"2026-04-25T21:00:43.821Z","avatar_url":"https://github.com/rayentr.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003ch1 align=\"center\"\u003eIronward\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\u003cem\u003eSecurity scanning for the vibe coding era.\u003c/em\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://www.npmjs.com/package/ironward\"\u003e\u003cimg alt=\"npm\" src=\"https://img.shields.io/npm/v/ironward?color=9af99a\u0026label=npm\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/rayentr/ironward/actions\"\u003e\u003cimg alt=\"tests\" src=\"https://img.shields.io/badge/tests-286%2F286-9af99a\"\u003e\u003c/a\u003e\n  \u003ca href=\"./vscode-extension\"\u003e\u003cimg alt=\"vscode\" src=\"https://img.shields.io/badge/VS%20Code-extension-9af99a\"\u003e\u003c/a\u003e\n  \u003ca href=\"./LICENSE\"\u003e\u003cimg alt=\"license\" src=\"https://img.shields.io/badge/license-MIT-9af99a\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://www.npmjs.com/package/ironward\"\u003e\u003cimg alt=\"downloads\" src=\"https://img.shields.io/npm/dm/ironward?color=9af99a\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  An open-source \u003cstrong\u003eMCP server\u003c/strong\u003e, \u003cstrong\u003eCLI\u003c/strong\u003e, and \u003cstrong\u003eGitHub Action\u003c/strong\u003e that finds\n  hardcoded secrets, auth bugs, SQL injection, XSS, IDOR, and vulnerable dependencies in your code —\n  and opens a fix PR. Four of its tools work fully offline, no API key required.\n\u003c/p\u003e\n\n---\n\n## Install\n\n```bash\n# Scan the current project — no install, no API key.\nnpx ironward scan .\n```\n\nThat's it. Runs offline, streams findings, exits non-zero on criticals so CI fails.\n\nOr install globally:\n\n```bash\nnpm install -g ironward\nironward scan ./src\n```\n\n---\n\n## The 13 tools\n\n| Tool | Runtime | What it finds |\n|------|---------|---------------|\n| `scan_for_secrets` | **Offline** | 665 pattern families — AWS, GCP, Azure, Stripe, PayPal, GitHub, OpenAI, Anthropic, Supabase, PlanetScale, Ethereum/Solana wallets, Firebase, + Shannon entropy |\n| `scan_code` | **Offline** | 61 static rules — `eval`, command injection, path traversal, weak crypto, SSRF, XXE, NoSQL/LDAP injection, template injection, timing-unsafe comparisons, Python-specific (pickle, yaml.load, subprocess shell=True) |\n| `scan_deps` | **Offline** | OSV.dev CVE lookup + typosquat detection + known-malware list + abandoned packages + license compliance |\n| `scan_url` | **Offline** | Letter-graded web scan — headers, CORS, cookies, exposed `.env` / `.git`, source maps, admin panels, API docs, Supabase/Firebase keys, TLS expiry |\n| `scan_docker` | **Offline** | Dockerfile + docker-compose — root user, `privileged:true`, sensitive host mounts, secrets in ENV/ARG, `:latest` tags, `curl \\| sh`, exposed SSH/DB ports |\n| `scan_k8s` | **Offline** | Kubernetes manifests — privileged containers, `hostNetwork`, dangerous capabilities (SYS_ADMIN, ALL), missing resource limits, secrets in env literals, default service accounts |\n| `scan_infra` | **Offline** | Terraform + CloudFormation — public S3, 0.0.0.0/0 security groups, publicly-accessible RDS, IAM `*` policies, unencrypted EBS, GCP allUsers ACLs, Azure open NSGs |\n| `scan_github` | **Offline** | GitHub Actions — `pull_request_target` + checkout (PR arbitrary-code-execution), expression injection via `${{ github.event.* }}` in `run:`, unpinned action versions, write-all permissions, artifact leaks |\n| `scan_auth_logic` | AI | Backwards auth checks, missing ownership, privilege escalation, bypassable middleware, JWT `alg:none` acceptance, session fixation |\n| `scan_sqli` | AI | SQL injection across JS/TS, Python, Go, Ruby, PHP, Java — string concat, template literals, ORM `raw` / `$queryRawUnsafe` |\n| `scan_xss` | AI | DOM + server-side XSS — `innerHTML`, `dangerouslySetInnerHTML`, Vue `v-html`, Svelte `{@html}`, EJS unescaped, reflected Express/Koa responses |\n| `scan_idor` | AI | Routes reading an ID from params without an owner check. Prisma/Mongoose mass-assignment via `data: req.body` |\n| `fix_and_pr` | AI | Generates surgical multi-file patches with validation loop — re-scans the fix before opening the PR |\n\n**Bring your own model.** AI tools work with Anthropic, OpenAI, Gemini, Groq, or a fully-local Ollama install.\n\n---\n\n## Demo\n\n```\n$ npx ironward scan ./src\nIronward — offline scan of ./src\n\n── scan-secrets ──\nsrc/config.js\n  [CRITICAL] L14:1  AWS access key ID  (aws_access_key)\n      AKIA***REDACTED***\n\n── scan-code ──\nsrc/api/upload.js\n  [HIGH] L42:5  eval() call  (eval-call)\n      why: eval executes arbitrary code — a direct RCE sink when fed user input.\n      fix: Remove eval. Parse data explicitly (JSON.parse, Function constructors).\n\n── scan-deps ──\n2 vulnerabilities across 14 dependencies — 1 critical, 1 high, 0 medium.\n\n[CRITICAL] lodash@4.17.15  GHSA-p6mc-m468-83gw  — fixed in 4.17.19\n  Prototype pollution in lodash\n\nDone in 412ms.  Exit 2.\n```\n\nExit codes: `0` clean · `1` low/medium findings · `2` critical or high findings (fails CI).\n\n---\n\n## `ironward login` — use AI-powered scanners\n\nOffline tools are always on. To enable `scan_auth_logic`, `scan_sqli`, `scan_xss`, `scan_idor`, and `fix_and_pr`, pick a provider:\n\n```bash\nironward login\n```\n\nInteractive picker:\n\n```\nIronward — pick an AI provider.\n\n  1. Anthropic   — Claude Opus/Sonnet — best reasoning\n  2. OpenAI      — GPT-4o — great alternative\n  3. Google      — Gemini 1.5 Pro — good for XSS/SQLi\n  4. Groq        — Llama 3 — fastest, cheapest\n  5. Ollama      — Local — free, private, no cloud\n  6. Skip        — offline tools only\n\nChoose a provider [1-6]:\n```\n\nKey is stored in `~/.ironward/config.json` (chmod 600) and never leaves your machine.\n\n```bash\nironward whoami     # show current provider + model\nironward logout     # remove saved config\nironward free       # list tools that work without any API key\n```\n\n---\n\n## Use in Cursor / Claude Code / VS Code\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eCursor\u003c/strong\u003e\u003c/summary\u003e\n\n```json\n// ~/.cursor/mcp.json\n{\n  \"mcpServers\": {\n    \"ironward\": {\n      \"command\": \"npx\",\n      \"args\": [\"-y\", \"ironward@latest\"],\n      \"env\": { \"ANTHROPIC_API_KEY\": \"sk-ant-...\" }\n    }\n  }\n}\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eClaude Code\u003c/strong\u003e\u003c/summary\u003e\n\n```bash\nclaude mcp add ironward -- npx -y ironward@latest\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eVS Code\u003c/strong\u003e\u003c/summary\u003e\n\n```json\n// .vscode/mcp.json\n{\n  \"servers\": {\n    \"ironward\": {\n      \"command\": \"npx\",\n      \"args\": [\"-y\", \"ironward@latest\"]\n    }\n  }\n}\n```\n\u003c/details\u003e\n\n`ANTHROPIC_API_KEY` (or any other provider key) is only required for the AI tools. Offline tools work without it.\n\n---\n\n## GitHub Action\n\nScan on every push and pull request. Inline PR annotations, job summary with full findings table, zero config.\n\n```yaml\n# .github/workflows/security.yml\nname: Security\non: [push, pull_request]\n\njobs:\n  scan:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - uses: rayentr/ironward/github-action@v1\n        with:\n          fail-on: critical\n```\n\nFull configuration and outputs in [github-action/README.md](./github-action/README.md).\n\n---\n\n## CLI reference\n\n```\nScanning\n  ironward scan \u003cpath\u003e              run every offline scanner (auto-detects IaC files)\n  ironward scan-secrets \u003cpath\u003e...   665 pattern families\n  ironward scan-code \u003cpath\u003e...      61 static analysis rules\n  ironward scan-deps \u003cpath\u003e...      OSV CVE + typosquat / malware / license\n  ironward scan-url \u003chttps-url\u003e     security headers, TLS, exposed files\n  ironward scan-docker \u003cpath\u003e...    Dockerfile + docker-compose\n  ironward scan-k8s \u003cpath\u003e...       Kubernetes manifests\n  ironward scan-infra \u003cpath\u003e...     Terraform + CloudFormation\n  ironward scan-github \u003cpath\u003e...    GitHub Actions workflows\n\nProvider\n  ironward login                    pick AI provider (interactive)\n  ironward logout / whoami / free\n\nMisc\n  ironward --version\n  ironward --help\n\nOutput format\n  --format json                     machine-readable output for CI\n  --format text                     (default)\n```\n\n---\n\n## VS Code extension\n\nIronward ships a native VS Code extension — inline squiggles, scan on save, status bar count, and a one-click \"suppress this finding\" quick-fix. Bundled standalone — no CLI install needed.\n\n```bash\n# Marketplace\ncode --install-extension rayentr.ironward\n\n# Or from a local .vsix build\ncd vscode-extension \u0026\u0026 npm install \u0026\u0026 npm run package\ncode --install-extension ironward-vscode.vsix\n```\n\nSettings: `ironward.scanOnSave`, `ironward.minConfidence`, `ironward.enabledScanners`. See the [extension README](./vscode-extension/README.md) for details.\n\n---\n\n## SARIF + JUnit + webhooks\n\nIronward fits into the tools your team already uses.\n\n```bash\n# GitHub Security tab\nironward scan-secrets --format sarif . \u003e results.sarif\n# Then in GitHub Actions:\n#   - uses: github/codeql-action/upload-sarif@v3\n#     with: { sarif_file: results.sarif }\n\n# Jenkins / CircleCI / GitLab / Azure DevOps test panels\nironward scan-code --format junit . \u003e results.xml\n\n# Slack (or any POST endpoint)\nironward scan-secrets . --webhook \"$SLACK_WEBHOOK_URL\"\n```\n\nThe webhook payload auto-detects Slack (`hooks.slack.com`) and emits Block Kit with rich formatting; any other URL receives raw JSON.\n\n---\n\n## Watch mode + git pre-commit hook\n\n**`ironward watch`** — file watcher that re-scans on every save. Ctrl-C to stop.\n\n```bash\nironward watch ./src\n# 🛡  Ironward watching src — Ctrl-C to stop\n# 14:32:07  src/api/auth.ts\n#   [CRITICAL] L42  jwt-alg-none  conf=95\n```\n\n**`ironward install-hooks`** — installs a git pre-commit hook that blocks commits with critical/high findings. Respects `core.hooksPath` (husky, lefthook, …) and preserves existing hook content.\n\n```bash\ncd myproject\nironward install-hooks\n# git commit now blocks on findings\n# bypass once: git commit --no-verify\n# remove entirely: ironward uninstall-hooks\n```\n\n---\n\n## Incremental scanning + `.ironwardignore`\n\nIronward caches per-file scan results at `~/.ironward/cache.json` keyed by content hash. On re-scan, unchanged files are served from cache — typically **5–10×** faster on warm runs.\n\nPre-commit hooks become instant:\n\n```bash\n# Only scan files about to be committed.\nironward scan-secrets --staged\n\n# Or files changed relative to a branch.\nironward scan-secrets --since=main\n\n# Bust the cache if you need a fresh run.\nironward scan-secrets --no-cache .\n```\n\nExclude files via `.ironwardignore` (gitignore syntax):\n\n```\n# .ironwardignore\nfixtures/synthetic-secrets/\ngenerated/\n*.test.ts\n```\n\nIronward also honors your existing `.gitignore`.\n\n---\n\n## What makes it different\n\n- **Offline-first.** Four of nine tools run with zero network (except OSV.dev for CVE lookups). Bring an API key only when you want AI reasoning for auth/SQLi/XSS/IDOR.\n- **It fixes the bug, not just finds it.** `fix_and_pr` generates multi-file patches and re-scans the fix before opening a PR.\n- **Bring your own model.** Anthropic, OpenAI, Gemini, Groq, Ollama. Your key stays local. No Ironward cloud.\n- **Three-line install.** No signup, no SSO handshake, no per-seat pricing.\n- **Self-scanned.** Ironward scans its own source on every commit — **zero findings**.\n\n---\n\n## Contributing\n\nPRs welcome. The codebase is small and well-tested:\n\n```bash\ngit clone https://github.com/rayentr/ironward\ncd ironward\nnpm install\nnpm test          # 166 tests, all offline, no API calls\nnpm run build\nnode dist/bin.js scan ./src\n```\n\nGood first issues:\n\n- Add a new secret-pattern family — edit [`patterns/secrets.json`](./patterns/secrets.json) and add a fixture to [`tests/fixtures/categories/`](./tests/fixtures/categories).\n- Add a static-analysis rule — edit [`src/engines/code-rules.ts`](./src/engines/code-rules.ts).\n- Teach `scan_url` a new probe — [`src/engines/url-scanner.ts`](./src/engines/url-scanner.ts).\n\nEvery new pattern/rule must ship with a test. The scanner must stay self-clean (`node dist/bin.js scan ./src` returns 0 findings).\n\n---\n\n## License\n\n[MIT](./LICENSE) — free to use, fork, ship.\n\n---\n\n\u003cp align=\"center\"\u003e\n  \u003csub\u003eBuilt by \u003ca href=\"https://github.com/rayentr\"\u003e@rayentr\u003c/a\u003e.\n  \u003cbr\u003eStar the repo if Ironward saved you from shipping a secret. ⭐\u003c/sub\u003e\n\u003c/p\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frayentr%2Fironward","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frayentr%2Fironward","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frayentr%2Fironward/lists"}