Recommended Tools

Security scanner that runs locally and never uploads your code. Checks headers, configs, and dependencies. Explains every finding and gives you an AI prompt to fix it.

ESLint plugin that flags security issues in Node.js code. Catches eval usage, non-literal requires, timing attacks, and other risky patterns.

CodeQL code scanning, secret detection, and dependency review right in GitHub. Flags issues directly in your pull requests.

Uses ML to find code vulnerabilities that rule-based scanners miss. Pairs well with Bastion for full coverage.

Hosted code quality and security scanner. Catches bugs, vulnerabilities, and code smells. Supports 30+ languages.

Built into Node.js. Checks your installed packages against the GitHub Advisory Database for known vulnerabilities.

Scans your dependencies, containers, and infrastructure-as-code for known vulnerabilities. Good CI integration and auto-fix PRs.

Open-source vulnerability scanner for containers, file systems, git repos, and Kubernetes. Fast and easy to add to CI.

Express middleware that sets security headers for you. Handles CSP, HSTS, X-Frame-Options, and more with good defaults out of the box.

Error tracking and performance monitoring. Useful for spotting unusual error spikes that might indicate an attack or a broken deploy.

Catches leaked credentials before you commit them. Supports AWS keys, GCP tokens, npm tokens, private keys, and custom patterns.

Paste in your URL and get a letter grade for your HTTP headers and TLS setup. Quick way to spot missing security headers.

Open-source scanner that tests your running web app for vulnerabilities. Finds XSS, injection, and misconfigurations by actually poking at your site.

Built into GitHub. Automatically opens PRs when your dependencies have updates or known vulnerabilities. Includes changelogs.