https://github.com/ayaxsoft/route-auditor
CLI to audit routes in Next.js apps
https://github.com/ayaxsoft/route-auditor
audit cli nextjs route-checker routes
Last synced: 3 months ago
JSON representation
CLI to audit routes in Next.js apps
- Host: GitHub
- URL: https://github.com/ayaxsoft/route-auditor
- Owner: ayaxsoft
- License: mit
- Created: 2026-03-12T01:33:10.000Z (4 months ago)
- Default Branch: main
- Last Pushed: 2026-03-22T13:36:16.000Z (4 months ago)
- Last Synced: 2026-03-23T04:58:21.085Z (3 months ago)
- Topics: audit, cli, nextjs, route-checker, routes
- Language: TypeScript
- Homepage: https://route-auditor.vercel.app
- Size: 2.76 MB
- Stars: 6
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Agents: AGENTS.md
Awesome Lists containing this project
README
#
route-auditor
Catch security issues in your Next.js routes before they reach production.
Scans App Router, Pages Router, and API Routes — detecting missing authentication, CSRF gaps, permissive CORS, hardcoded secrets, and more. Stack-aware: fix suggestions are tailored to your detected auth library, validation library, and rate-limiting solution.
## Quick Start
```bash
npx @route-auditor/cli audit .
```
```
⚡ route-auditor
Audit Next.js routes for security issues.
[HIGH] Unprotected API Route · 3 routes
OWASP A01:2021 – Broken Access Control
→ /api/users app/api/users/route.ts
→ /api/posts/[id] app/api/posts/[id]/route.ts
Fix: Use getServerSession(authOptions) to verify the session. (low effort)
85 / 100 Good
█████████████████████████████████░░░░░░░
3 vulnerabilities across 34 routes in 0.0s
```
## Commands
| Command | Description |
| --------------- | --------------------------------------------------- |
| `audit [dir]` | Scan a Next.js project for security vulnerabilities |
| `rules [dir]` | List all rules with their enabled/disabled status |
| `rules disable` | Interactively select rules to disable |
| `rules enable` | Interactively select rules to enable |
| `init` | Generate a `route-auditor.config.json` config file |
| `report ` | Re-render a saved JSON audit in any output format |
## Audit Options
| Option | Description | Default |
| ------------------------ | --------------------------------------------------------- | --------- |
| `-o, --output ` | Output format: `console`, `json`, `sarif` | `console` |
| `-s, --severity ` | Minimum severity: `critical` `high` `medium` `low` `info` | `info` |
| `--fail-on ` | Exit with code 1 if issues at this severity or higher | — |
| `--file ` | Write output to file instead of stdout | — |
| `--config ` | Path to `route-auditor.config.json` | — |
| `-w, --watch` | Watch for file changes and re-run the audit | — |
## Rules
| ID | Name | Severity | Description |
| ----------------- | ---------------------------- | -------- | --------------------------------------------------------- |
| `RW-AUTH-001` | Unprotected API Route | high | API route with no auth check |
| `RW-AUTH-002` | Missing CSRF Protection | high | Server Action with no CSRF guard |
| `RW-AUTH-003` | Unprotected Sensitive Page | medium | Admin/dashboard page with no auth check |
| `RW-CORS-001` | Permissive CORS Policy | high | Wildcard `Access-Control-Allow-Origin: *` |
| `RW-ENV-001` | Exposed Environment Variable | high | Sensitive env var leaked in a response |
| `RW-WEBHOOK-001` | Missing Webhook Verification | high | Webhook route with no signature verification |
| `RW-PATH-001` | Path Traversal | high | Filesystem operation using unvalidated user input |
| `RW-SECRET-001` | Hardcoded Secret | critical | API key or secret hardcoded in source code |
| `RW-RATE-001` | Missing Rate Limiting | medium | API route with no rate-limit (high on auth endpoints) |
| `RW-INPUT-001` | Missing Input Validation | medium | POST/PUT route that parses body without schema validation |
| `RW-REDIRECT-001` | Open Redirect | medium | `redirect()` called with unvalidated user-supplied URL |
| `RW-COOKIE-001` | Insecure Cookie | medium | Cookie set without `HttpOnly`, `Secure`, or `SameSite` |
## CI Integration
### GitHub Action
Add to `.github/workflows/route-auditor.yml` in your repository:
```yaml
name: Route Auditor
on:
push:
branches: [main]
pull_request:
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: ayaxsoft/route-auditor@v1
with:
fail-on: high
```
The action automatically posts audit results as a PR comment and updates it on each push.
#### With SARIF upload (GitHub Code Scanning)
```yaml
steps:
- uses: actions/checkout@v4
- uses: ayaxsoft/route-auditor@v1
with:
sarif-file: results.sarif
fail-on: high
- uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: results.sarif
```
#### Action inputs
| Input | Description | Default |
| ------------ | --------------------------------------------------- | -------- |
| `directory` | Path to the Next.js project to audit | `.` |
| `severity` | Minimum severity to report | `info` |
| `fail-on` | Fail if issues at this severity or higher are found | — |
| `sarif-file` | Write SARIF output to this file path | — |
| `config` | Path to `route-auditor.config.json` | — |
| `version` | Version of `@route-auditor/cli` to use | `latest` |
### CLI
```bash
# Fail the pipeline if any high or critical vulnerabilities are found
route-auditor audit . --fail-on high
# Export a SARIF report for GitHub Code Scanning
route-auditor audit . --output sarif --file results.sarif
```
## Configuration
Run `route-auditor init` to generate a config file, or create `route-auditor.config.json` manually:
```json
{
"severity": "medium",
"failOn": "high",
"rules": {
"RW-RATE-001": false
},
"ignore": ["/api/health", "/api/public/*", "/api/internal/**"]
}
```
All rules are enabled by default. Set a rule to `false` to disable it, or use `route-auditor rules disable` to manage rules interactively.
## Contributing
```bash
git clone https://github.com/ayaxsoft/route-auditor
cd route-auditor
pnpm install
pnpm build
```
Run locally:
```bash
node packages/cli/dist/index.js audit /path/to/your/nextjs-project
```
## License
MIT