explaingit

setrathexx/next-secure-check

Analysis updated 2026-06-24

2TypeScriptAudience · developerComplexity · 2/5Setup · easy

TLDR

Rule-based security scanner for Next.js projects that flags committed secrets, weak JWT setup, raw SQL, missing headers, and other common mistakes.

Mindmap

mindmap
  root((next-secure-check))
    Inputs
      Source files
      Config JSON
      CLI flags
    Outputs
      Terminal report
      SARIF file
      Markdown summary
    Use Cases
      Local audit
      CI gate
      Public demo
    Tech Stack
      TypeScript
      Node
      GitHub Actions
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Scan a Next.js repo locally and see flagged secrets, weak configs, and XSS risks

USE CASE 2

Add a CI step that fails the build on high or critical findings

USE CASE 3

Export SARIF and feed it into a GitHub code-scanning dashboard

USE CASE 4

Run a static scan of a public GitHub repo through the web demo at apps/web

What is it built with?

TypeScriptNodeGitHub Actions

How does it compare?

setrathexx/next-secure-checkarashthr/hugo-flowargeneau12e/kairos-tx
Stars222
LanguageTypeScriptTypeScriptTypeScript
Setup difficultyeasymoderatehard
Complexity2/53/54/5
Audiencedeveloperdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Single npm install and one command to scan, with optional JSON config for thresholds.

In plain English

next-secure-check is a security scanner aimed at Next.js projects. It looks through your code for common security mistakes before they reach production, things like committed secrets, unsafe API routes, missing rate limits on login or registration, weak configuration, XSS risks, raw SQL patterns, unsafe file uploads, and missing security headers. The README is explicit that the tool does not use AI at runtime, it works by matching deterministic rules against the source files. The scanner currently ships with 20 rules grouped by category (secrets, injection, xss, config, auth, headers, upload, validation). Each rule has its own documentation page. Examples include detecting committed .env files, hard-coded API keys, weak JWT secrets, use of eval or new Function, wildcard CORS origins, missing bcrypt or argon2 around password handling, raw SQL string concatenation, and Next.js-specific configuration gaps like productionBrowserSourceMaps being true or the poweredByHeader option not being switched off. There are three ways to use it. The command-line tool is installed from npm and run as next-secure-check scan . inside a project. Output formats include terminal text, JSON, Markdown, a GitHub Actions step summary, and SARIF for integration with code-scanning dashboards. The repository also runs the scanner in its own GitHub Actions workflow as a working example, writing a Markdown report to the job step summary and optionally failing the job when high or critical findings appear. A web demo at apps/web lets visitors scan public GitHub repositories by URL, that demo only does static analysis, never runs the scanned code, and does not touch private repositories. Configuration can be supplied through a .next-secure-check.json file at the project root, with fields for excluded paths, rule categories, the severity threshold to fail on, and the output format. Command-line flags override the config file, which overrides the defaults. The author describes the project as a first-year student learning project, currently at v0.1 with the MVP and hardening pass complete. They note that findings should be treated as review signals rather than proof of exploitation, and that false positives and false negatives are possible.

Copy-paste prompts

Prompt 1
Install next-secure-check from npm and run next-secure-check scan . on my Next.js repo
Prompt 2
Write a .next-secure-check.json that excludes node_modules and fails only on critical findings
Prompt 3
Add a GitHub Actions workflow that posts the Markdown report to the job step summary
Prompt 4
Help me write a new rule that detects wildcard CORS origins in app router handlers
Prompt 5
Convert the scanner output to SARIF and upload it as a code-scanning result

Frequently asked questions

What is next-secure-check?

Rule-based security scanner for Next.js projects that flags committed secrets, weak JWT setup, raw SQL, missing headers, and other common mistakes.

What language is next-secure-check written in?

Mainly TypeScript. The stack also includes TypeScript, Node, GitHub Actions.

How hard is next-secure-check to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is next-secure-check for?

Mainly developer.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.