Safeey.io
safeey-cli · free & open source

Catch vulnerabilities before you ship.

Safeey's web scanner checks your live site from the outside. safeey-cli checks your source code from the inside — the other half of shipping securely. It runs entirely on your machine, so your code never leaves it.

npm install -g safeey-cli
$ safeey scan ./

  src/db.js
    HIGH      SQL injection            :8:10   js/sql-injection
      A SQL query is assembled by string interpolation. Injected
      input can change the query's meaning.
      fix  Use parameterised queries (placeholders + a values array).

  src/util.js
    CRITICAL  Command injection        :12:3   js/command-injection
    CRITICAL  Stripe live secret key   :4:18   secret/stripe-live

  ────────────────────────────────────────────────
  Risk grade F (0/100)   2 critical · 1 high

Three commands.

01
Install
npm install -g safeey-cli
02
Scan
safeey scan ./
03
Fix

Every finding comes with the exact fix.

What it checks

Code injectioneval() and Function() called on dynamic input.
Command injectionShell commands built from user input via child_process.
SQL injectionQueries assembled by string interpolation instead of parameters.
Cross-site scriptinginnerHTML and dangerouslySetInnerHTML with dynamic content.
Hardcoded secretsAWS, Stripe, Google, GitHub, Slack, OpenAI keys, JWTs, private keys.
Weak cryptoMD5/SHA-1 hashing and disabled TLS verification.
Open redirectsRedirects driven by user-controlled input.
Vulnerable dependenciesKnown-bad and unpinned packages in package.json.

Every finding includes a plain-English explanation and the fix, plus an A–F risk grade for the whole codebase. JavaScript & TypeScript today, with more languages on the way.

Sync to your dashboard

Connect the CLI to your Safeey account and see code scans alongside your site scans in one place. Only results are sent — never your source code.

$ safeey login <your-api-key>
$ safeey scan . --sync

Generate a key from your dashboard once you're signed in.

Start scanning your code