Analysis updated 2026-05-18
Run a pre-launch security scan on your app to find exposed API routes, weak auth, and missing security headers.
Ask your Cursor or Claude Code agent to scan your staging app and list the top fixes in priority order.
Search your codebase for hardcoded secrets and API keys before pushing to a public repository.
Generate a SARIF security report and upload it to GitHub's security tab as part of your CI pipeline.
| danoszz/penthera | ash310u/awesome-ai-stack | asqrzk/copilot-openrouter-to-ollama-proxy | |
|---|---|---|---|
| Stars | 2 | 2 | 2 |
| Language | JavaScript | JavaScript | JavaScript |
| Setup difficulty | easy | easy | moderate |
| Complexity | 2/5 | 2/5 | 2/5 |
| Audience | vibe coder | vibe coder | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires Node.js 18+. One-line install script handles everything, including agent skill registration for Cursor and Claude Code.
Penthera is a lightweight security scanner built for web apps and APIs, particularly those built quickly with AI assistance. The idea is that apps built fast often skip security checks, and Penthera is the check you run before going live. It connects to your app over HTTP, looks for common vulnerabilities, and lists fixes in priority order. You do not need a security background to use it. There are two main ways to run it. The first is as an agent skill: if you use Cursor or Claude Code as your coding assistant, you install Penthera once and then ask your agent to scan your app. The agent handles the rest. The second is through the command line, where you can either run a scan directly against a URL or launch a guided interactive wizard that walks you through the options. Penthera covers two types of scanning. Black-box scanning hits your running app from the outside, the same way an attacker would, checking things like TLS configuration, security headers, CORS settings, cookies, authentication handling, and exposed API routes. White-box scanning reads your source code to find API routes, map trust boundaries, and look for hardcoded secrets. You can run both at once for a more complete picture. Findings are mapped to the OWASP Web Security Testing Guide, a widely used reference document for web security. The default scan is non-destructive, meaning it only reads responses and does not send attack payloads. More aggressive modes like deep scanning and fuzzing are available but require you to opt in and confirm you have authorization to test the target. Output can go to the terminal, a Markdown file, JSON, or SARIF format, which integrates with GitHub's security tab. There is also a baseline comparison feature that shows only new findings since a previous scan. Penthera is MIT-licensed, requires Node.js 18 or later, and can also run in a Docker container.
A security scanner for web apps that runs from your AI coding agent or the command line, checking for exposed APIs, weak auth, missing headers, and hardcoded secrets before you launch.
Mainly JavaScript. The stack also includes JavaScript, Node.js, Docker.
Use freely for any purpose, including commercial use, as long as you keep the copyright notice.
Setup difficulty is rated easy, with roughly 5min to a first successful run.
Mainly vibe coder.
This repo across BitVibe Labs
Verify against the repo before relying on details.