explaingit

setrathexx/next-secure-check

2TypeScriptAudience · developerComplexity · 2/5ActiveSetup · easy

TLDR

Rule-based security scanner for Next.js projects that flags committed secrets, weak JWT setup, raw SQL, missing headers, and other common mistakes.

Mindmap

mindmap
  root((next-secure-check))
    Inputs
      Source files
      Config JSON
      CLI flags
    Outputs
      Terminal report
      SARIF file
      Markdown summary
    Use Cases
      Local audit
      CI gate
      Public demo
    Tech Stack
      TypeScript
      Node
      GitHub Actions

Things people build with this

USE CASE 1

Scan a Next.js repo locally and see flagged secrets, weak configs, and XSS risks

USE CASE 2

Add a CI step that fails the build on high or critical findings

USE CASE 3

Export SARIF and feed it into a GitHub code-scanning dashboard

USE CASE 4

Run a static scan of a public GitHub repo through the web demo at apps/web

Tech stack

TypeScriptNodeGitHub Actions

Getting it running

Difficulty · easy Time to first run · 5min

Single npm install and one command to scan, with optional JSON config for thresholds.

In plain English

next-secure-check is a security scanner aimed at Next.js projects. It looks through your code for common security mistakes before they reach production, things like committed secrets, unsafe API routes, missing rate limits on login or registration, weak configuration, XSS risks, raw SQL patterns, unsafe file uploads, and missing security headers. The README is explicit that the tool does not use AI at runtime; it works by matching deterministic rules against the source files. The scanner currently ships with 20 rules grouped by category (secrets, injection, xss, config, auth, headers, upload, validation). Each rule has its own documentation page. Examples include detecting committed .env files, hard-coded API keys, weak JWT secrets, use of eval or new Function, wildcard CORS origins, missing bcrypt or argon2 around password handling, raw SQL string concatenation, and Next.js-specific configuration gaps like productionBrowserSourceMaps being true or the poweredByHeader option not being switched off. There are three ways to use it. The command-line tool is installed from npm and run as next-secure-check scan . inside a project. Output formats include terminal text, JSON, Markdown, a GitHub Actions step summary, and SARIF for integration with code-scanning dashboards. The repository also runs the scanner in its own GitHub Actions workflow as a working example, writing a Markdown report to the job step summary and optionally failing the job when high or critical findings appear. A web demo at apps/web lets visitors scan public GitHub repositories by URL; that demo only does static analysis, never runs the scanned code, and does not touch private repositories. Configuration can be supplied through a .next-secure-check.json file at the project root, with fields for excluded paths, rule categories, the severity threshold to fail on, and the output format. Command-line flags override the config file, which overrides the defaults. The author describes the project as a first-year student learning project, currently at v0.1 with the MVP and hardening pass complete. They note that findings should be treated as review signals rather than proof of exploitation, and that false positives and false negatives are possible.

Copy-paste prompts

Prompt 1
Install next-secure-check from npm and run next-secure-check scan . on my Next.js repo
Prompt 2
Write a .next-secure-check.json that excludes node_modules and fails only on critical findings
Prompt 3
Add a GitHub Actions workflow that posts the Markdown report to the job step summary
Prompt 4
Help me write a new rule that detects wildcard CORS origins in app router handlers
Prompt 5
Convert the scanner output to SARIF and upload it as a code-scanning result
Open on GitHub → Explain another repo

Generated 2026-05-22 · Model: sonnet-4-6 · Verify against the repo before relying on details.