https://github.com/sudoeren/arhus
local-first security analysis for TypeScript & JavaScript
https://github.com/sudoeren/arhus
ast bun cli devsecops javascript linter security security-scanner static-analysis typescript
Last synced: about 22 hours ago
JSON representation
local-first security analysis for TypeScript & JavaScript
- Host: GitHub
- URL: https://github.com/sudoeren/arhus
- Owner: sudoeren
- License: mit
- Created: 2026-06-27T08:51:04.000Z (13 days ago)
- Default Branch: main
- Last Pushed: 2026-06-27T13:06:20.000Z (13 days ago)
- Last Synced: 2026-06-27T13:13:50.078Z (13 days ago)
- Topics: ast, bun, cli, devsecops, javascript, linter, security, security-scanner, static-analysis, typescript
- Language: TypeScript
- Homepage:
- Size: 134 KB
- Stars: 1
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Agents: AGENTS.md
Awesome Lists containing this project
README
# arhus
scan. fix. repeat. — local-first security analysis for TypeScript & JavaScript.
## Why arhus
arhus runs **entirely offline**. No telemetry, no cloud, no API calls. Your source code never leaves your machine. Unlike ESLint plugins that focus on style and surface-level patterns, arhus performs AST-aware semantic checks — tracing taint from user input through function calls — without the overhead of a full SAST platform.
## Install
```bash
npm i -g arhus-cli
```
### AI Agent Skill
```bash
npx skills add sudoeren/arhus
```
## Usage
```bash
# Interactive mode (menu-driven)
arhus
# Scan a directory
arhus scan ./src
# Auto-fix (dry run — preview only)
arhus fix ./src --dry-run
# Apply fixes
arhus fix ./src
# JSON output
arhus scan ./src --format json
# SARIF output (GitHub Code Scanning)
arhus scan ./src --format sarif
# Create config file
arhus init
```
## Rules
| Rule | Severity | Description |
|---|---|---|
| `no-hardcoded-secrets` | Critical | API keys, tokens, passwords in source |
| `no-sql-injection` | Critical | SQL queries via string concatenation |
| `no-command-injection` | Critical | exec/spawn with dynamic input |
| `no-xss-dom` | High | innerHTML, document.write, eval |
| `no-unsafe-regex` | High | ReDoS patterns, nested quantifiers |
| `no-path-traversal` | High | File ops with user-controlled paths |
| `no-unvalidated-redirect` | High | Open redirect via user-controlled input |
| `no-unrestricted-file-upload` | High | File upload without extension validation |
| `no-weak-crypto` | High | MD5, SHA1, DES, RC4 usage |
| `no-debugger` | High | debugger statements in committed code |
| `no-console` | Info | console.log and similar in production |
## Configuration
```bash
arhus init # creates .arhusrc
```
```json
{
"include": ["**/*.{ts,tsx,js,jsx}"],
"exclude": ["node_modules/**", "dist/**", ".git/**", "coverage/**", "**/*.test.*", "tests/**"],
"rules": {
"no-console": false,
"no-debugger": "critical"
}
}
```
### Rule Configuration
| Value | Effect |
|---|---|
| `true` or omitted | Rule runs with default severity |
| `false` | Rule is disabled |
| `"low"`, `"medium"`, `"high"`, `"critical"` | Override severity |
| `{ "severity": "high" }` | Object form with severity override + future options |
## Uninstall
```bash
npm uninstall -g arhus-cli
```
Project-level `.arhusrc` files are not removed automatically.
## License
MIT — see [LICENSE](LICENSE) for details.