safeey-cli · free & open source
Catch vulnerabilities before you ship.
Safeey's web scanner checks your live site from the outside. safeey-cli checks your source code from the inside — the other half of shipping securely. It runs entirely on your machine, so your code never leaves it.
npm install -g safeey-cli$ safeey scan ./
src/db.js
HIGH SQL injection :8:10 js/sql-injection
A SQL query is assembled by string interpolation. Injected
input can change the query's meaning.
fix Use parameterised queries (placeholders + a values array).
src/util.js
CRITICAL Command injection :12:3 js/command-injection
CRITICAL Stripe live secret key :4:18 secret/stripe-live
────────────────────────────────────────────────
Risk grade F (0/100) 2 critical · 1 highThree commands.
01
Install
npm install -g safeey-cli02
Scan
safeey scan ./03
Fix
Every finding comes with the exact fix.
What it checks
Code injectioneval() and Function() called on dynamic input.
Command injectionShell commands built from user input via child_process.
SQL injectionQueries assembled by string interpolation instead of parameters.
Cross-site scriptinginnerHTML and dangerouslySetInnerHTML with dynamic content.
Hardcoded secretsAWS, Stripe, Google, GitHub, Slack, OpenAI keys, JWTs, private keys.
Weak cryptoMD5/SHA-1 hashing and disabled TLS verification.
Open redirectsRedirects driven by user-controlled input.
Vulnerable dependenciesKnown-bad and unpinned packages in package.json.
Every finding includes a plain-English explanation and the fix, plus an A–F risk grade for the whole codebase. JavaScript & TypeScript today, with more languages on the way.
Sync to your dashboard
Connect the CLI to your Safeey account and see code scans alongside your site scans in one place. Only results are sent — never your source code.
$ safeey login <your-api-key>
$ safeey scan . --syncGenerate a key from your dashboard once you're signed in.