explaingit

danoszz/penthera

Analysis updated 2026-05-18

2JavaScriptAudience · vibe coderComplexity · 2/5LicenseSetup · easy

TLDR

A security scanner for web apps that runs from your AI coding agent or the command line, checking for exposed APIs, weak auth, missing headers, and hardcoded secrets before you launch.

Mindmap

mindmap
  root((Penthera))
    Scan types
      Black-box URL scan
      White-box repo scan
      Combined scan
    What it checks
      TLS and headers
      Auth and cookies
      Hardcoded secrets
      API route exposure
    Output formats
      Terminal summary
      Markdown report
      JSON and SARIF
    Usage modes
      Agent skill
      CLI wizard
      Docker container
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Run a pre-launch security scan on your app to find exposed API routes, weak auth, and missing security headers.

USE CASE 2

Ask your Cursor or Claude Code agent to scan your staging app and list the top fixes in priority order.

USE CASE 3

Search your codebase for hardcoded secrets and API keys before pushing to a public repository.

USE CASE 4

Generate a SARIF security report and upload it to GitHub's security tab as part of your CI pipeline.

What is it built with?

JavaScriptNode.jsDocker

How does it compare?

danoszz/pentheraash310u/awesome-ai-stackasqrzk/copilot-openrouter-to-ollama-proxy
Stars222
LanguageJavaScriptJavaScriptJavaScript
Setup difficultyeasyeasymoderate
Complexity2/52/52/5
Audiencevibe codervibe coderdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Requires Node.js 18+. One-line install script handles everything, including agent skill registration for Cursor and Claude Code.

Use freely for any purpose, including commercial use, as long as you keep the copyright notice.

In plain English

Penthera is a lightweight security scanner built for web apps and APIs, particularly those built quickly with AI assistance. The idea is that apps built fast often skip security checks, and Penthera is the check you run before going live. It connects to your app over HTTP, looks for common vulnerabilities, and lists fixes in priority order. You do not need a security background to use it. There are two main ways to run it. The first is as an agent skill: if you use Cursor or Claude Code as your coding assistant, you install Penthera once and then ask your agent to scan your app. The agent handles the rest. The second is through the command line, where you can either run a scan directly against a URL or launch a guided interactive wizard that walks you through the options. Penthera covers two types of scanning. Black-box scanning hits your running app from the outside, the same way an attacker would, checking things like TLS configuration, security headers, CORS settings, cookies, authentication handling, and exposed API routes. White-box scanning reads your source code to find API routes, map trust boundaries, and look for hardcoded secrets. You can run both at once for a more complete picture. Findings are mapped to the OWASP Web Security Testing Guide, a widely used reference document for web security. The default scan is non-destructive, meaning it only reads responses and does not send attack payloads. More aggressive modes like deep scanning and fuzzing are available but require you to opt in and confirm you have authorization to test the target. Output can go to the terminal, a Markdown file, JSON, or SARIF format, which integrates with GitHub's security tab. There is also a baseline comparison feature that shows only new findings since a previous scan. Penthera is MIT-licensed, requires Node.js 18 or later, and can also run in a Docker container.

Copy-paste prompts

Prompt 1
Scan my localhost:3000 app for security issues using Penthera and list the top 5 fixes in priority order.
Prompt 2
Run a combined black-box and white-box Penthera scan on https://staging.myapp.com with my source code at . and output a full report.
Prompt 3
Use Penthera to check my Next.js repo for hardcoded secrets and exposed API routes before I deploy.
Prompt 4
Set up Penthera as a pre-deploy CI step that fails the build if it finds any critical or high severity security issues.
Prompt 5
Run penthera with --profile deep on my staging app and explain each finding it returns in plain language.

Frequently asked questions

What is penthera?

A security scanner for web apps that runs from your AI coding agent or the command line, checking for exposed APIs, weak auth, missing headers, and hardcoded secrets before you launch.

What language is penthera written in?

Mainly JavaScript. The stack also includes JavaScript, Node.js, Docker.

What license does penthera use?

Use freely for any purpose, including commercial use, as long as you keep the copyright notice.

How hard is penthera to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is penthera for?

Mainly vibe coder.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Scan in gitsafehub Deploy in gitdeployhub danoszz on gitmyhub

Verify against the repo before relying on details.