explaingit

jotadev-bug/javascript-doctor

Analysis updated 2026-05-18

0TypeScriptAudience · developerComplexity · 2/5Setup · easy

TLDR

A command-line security scanner for JavaScript and TypeScript projects that flags vulnerabilities often introduced by AI coding assistants.

Mindmap

mindmap
  root((JS Doctor))
    What it does
      Scans JS and TS code
      Plain-English findings
      CI-ready exit codes
    Tech stack
      TypeScript
      npm
    Use cases
      Catch exposed secrets
      Find SQL injection risk
      Check dependency vulnerabilities
    Audience
      Developers
      Security reviewers

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Scan a project folder for exposed secrets, SQL injection, and command injection risks before shipping.

USE CASE 2

Run in CI with a non-zero exit code when high or critical issues are found.

USE CASE 3

Check npm dependencies against the npm audit and OSV.dev advisory databases.

USE CASE 4

Watch a project for changes and rescan automatically.

What is it built with?

TypeScriptNode.jsnpm

How does it compare?

jotadev-bug/javascript-doctor0xradioac7iv/tempfsabboskhonov/hermium
Stars000
LanguageTypeScriptTypeScriptTypeScript
Setup difficultyeasymoderatemoderate
Complexity2/53/54/5
Audiencedeveloperdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Ships as an npm package with no external services required to run a scan.

No license file was found in the README.

In plain English

JS Doctor is a command-line security scanner for JavaScript and TypeScript projects, designed especially for code generated or accelerated by AI coding assistants. The idea is that AI-generated code can introduce security vulnerabilities without the developer noticing, and JS Doctor provides a fast way to check for common issues before shipping. Running it against a project folder produces plain-English findings that each include a diagnosis (what the problem is), a risk assessment, a recommended treatment, a severity level, a confidence level, and the exact file and line where the issue was found. The scanner checks for a broad range of security problems: exposed secrets, missing authorization checks on update and delete operations, unsafe HTML rendering that could enable script injection, runtime code execution, command injection, SQL injection, server-side request forgery (SSRF), open redirects, path traversal, weak or insecure cryptography, permissive CORS settings, disabled TLS verification, insecure cookie configuration, prototype pollution, unsafe deserialization, and JWT tokens decoded without signature verification. It can also check third-party npm dependencies against the npm audit database and the OSV.dev vulnerability advisory database. A watch mode rescans files as they change. JSON output is available for integration into other tools. By default the tool exits with a non-zero code when high or critical issues are found, making it suitable for CI pipelines. The rule system is file-based, each rule pack is a JSON or YAML file, so new checks can be added without modifying the core engine. The project is written in TypeScript and ships as an npm package.

Copy-paste prompts

Prompt 1
Help me run this scanner against my project and interpret the severity levels in the output.
Prompt 2
Explain how to write a custom rule pack file for this scanner.
Prompt 3
What does this tool check for regarding SSRF and open redirects?
Prompt 4
How do I wire this scanner into a CI pipeline so builds fail on critical issues?

Frequently asked questions

What is javascript-doctor?

A command-line security scanner for JavaScript and TypeScript projects that flags vulnerabilities often introduced by AI coding assistants.

What language is javascript-doctor written in?

Mainly TypeScript. The stack also includes TypeScript, Node.js, npm.

What license does javascript-doctor use?

No license file was found in the README.

How hard is javascript-doctor to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is javascript-doctor for?

Mainly developer.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.