Back to Projects
Free & Open-Source Local Scanner

FivoSense

One command. 15 seconds. Every vulnerability found. FivoSense is a 100% local, zero-telemetry security scanner that proves real exploits in JavaScript & TypeScript.

$npm install -g fivosense
sh - fivosense scanner
$ fivosense src/**/*.js
[15:10:02] Starting scan...
[15:10:03] Scanned 124 files. Checking for exploit paths...
CRITICAL: SQL Injection vulnerability found in src/api/users.js
    Line 42: const query = `SELECT * FROM users WHERE id = ${req.query.id}`;
    Exploit path: User input flows directly into a database query without checks.
    Generated PoC exploit: `curl "http://localhost:3000/users?id=1%20OR%201=1"`

HIGH: Hardcoded API secret key found in src/config.js
    Line 12: const OPENAI_KEY = "sk-proj-7a912e...";
    Fix: Move secrets to environment variables (`process.env.OPENAI_API_KEY`).

Scan Completed in 14.8 seconds:
    Critical: 1 | High: 1 | Medium: 0 | Low: 0 | Score: 45/100

From Grade F to Grade A in 60 Minutes

A simple before-and-after comparison of a repository secured with FivoSense.

Security Parameters Before FivoSense After FivoSense (1 hour later)
Security Score 20/100 (Grade F) 95/100 (Grade A)
SQL Injections 5 unpatched vulnerabilities 0 (Fixed & Verified)
Hardcoded Secrets 7 secrets in source code 0 (Moved to environment variables)
XSS Vulnerabilities 4 unpatched flows 0 (Fixed)
Command Injections 3 critical sinks exposed 0 (Sanitized)
Path Traversal Risks 2 local file vulnerabilities 0 (Fixed)
Developer Peace of Mind Sleepless nights Sleep like a baby 😴

How FivoSense Compares

Why security researchers and developers prefer FivoSense over traditional cloud scanners or simple ChatGPT prompts.

Feature / Metric ChatGPT Security Prompts Traditional Cloud Scanners FivoSense
Approach Reads code as raw text, guesses patterns Heavy cloud-based static scanning Local deep-code understanding
Results "Might be vulnerable..." 500 warnings (400 false positives) "IS vulnerable, exact line number"
Verification None Partial documentation Exact line + exploit proof
Proof of Concept None None Generates working PoC exploit
Scanning Speed Copy-paste 1 file at a time Several minutes per branch scan 100 files in under 15 seconds
Code Privacy Uploads source code to OpenAI/Anthropic Transmits code to scanner cloud platforms 100% Local (Never leaves machine)
Costs $20/month subscription $25 - $100/month per seat Free & Open-Source (MIT)

What FivoSense Detects

433 security patterns across 20 distinct categories checked on every keystroke.

SQL Injection

Prevents attackers from bypassing query syntax parameters to read or modify your database tables.

Critical Severity

Command Injection

Blocks dangerous system shells from executing untrusted input arguments from user requests.

Critical Severity

Hardcoded Secrets

Scans code for leaked OpenAI keys, AWS access tokens, PostgreSQL credentials, and Stripe tokens.

High Severity

Path Traversal

Identifies insecure filesystem functions allowing attackers to view files outside public folders.

High Severity

SSRF Attacks

Finds HTTP client calls that can be coerced to request resources from your secure internal VPC servers.

High Severity

Prototype Pollution

Finds object mutations where raw input arguments can compromise standard Node.js prototypes.

Critical Severity

55+ Secret Types Scanned

Detects a wide variety of static credentials before they are pushed to GitHub:

  • AI Providers: OpenAI keys (`sk-proj-...`), Anthropic API tokens
  • Cloud Platforms: AWS IDs (`AKIA...`), Google Cloud service tokens, Firebase configs
  • SaaS integrations: Stripe private keys, Shopify webhooks, Slack incoming tokens
  • Database Connections: MongoDB, PostgreSQL connection URIs containing clear passwords

58+ Destructive Commands Blocked

Blocks queries or CLI runs attempting file system or database wipes:

  • File Wipes: `rm -rf /`, `mkfs`, `shred` operations
  • Database Purges: `DROP TABLE`, `TRUNCATE`, or `DELETE` queries missing conditional constraints
  • Container Wipes: Docker container terminations or K8s namespace sweeps
  • Privilege Escapes: `chmod 777` permissions and SUID sudoers overrides

Features Engineered for Modern Teams

Security shouldn't feel like a chore. We built tools developers actually want to use.

Roast Mode

Use `--roast` to get an direct, humorous analysis of your security flaws. Turn audit warnings into an entertaining team experience.

fivosense --roast src/api.js

Security Grading Badge

Verify your code grade (Grade A+ to F) on every local save. Show your compliance scores inside your repository README files.

fivosense --badge src/app.js

Git Pre-Push Gate

Installs as a pre-push Git hook. Automatically blocks commits containing active security vulnerabilities from reaching main branches.

# git push blocked on vulnerabilities

IDE Extension Integration

Highlight syntax errors and insecure lines directly inside VS Code, Cursor, or JetBrains editors as you type. Catch flaws long before review pipelines.

AI Agent MCP Server

Exposes a Model Context Protocol tool layer. Ask Claude Desktop or local LLM agents: "Is my workspace code secure?" to run scanning routines instantly.

Frequently Asked Questions

Find technical details about FivoSense scanner capabilities.

Is FivoSense really free?

Yes. FivoSense is fully open-source under the MIT license. There are no subscriptions, local account restrictions, or limits on local codebase scanning. Forever free.

Does it send my codebase details to any cloud servers?

No. FivoSense executes entirely on your workstation CPU. It runs zero background cloud synchronization, key uploads, or telemetry logs (unless you configure your own custom OpenAI endpoint to parse security suggestions).

Which languages are supported?

FivoSense supports JavaScript (`.js`, `.jsx`, `.mjs`) and TypeScript (`.ts`, `.tsx`). It analyzes code logic rather than simple text pattern matching.

What types of vulnerabilities does FivoSense detect?

SQL injection, XSS, command injection, path traversal, hardcoded secrets, authentication bypasses, insecure deserialization, and data exposure vulnerabilities. It also flags risky patterns in dependencies and configuration.

Can I use FivoSense in CI/CD pipelines?

Yes. FivoSense runs entirely locally with no external dependencies, making it ideal for GitHub Actions, GitLab CI, Jenkins, or any CI/CD system. Exit codes and machine-readable output support automated policy enforcement.

Is my code sent anywhere?

No. FivoSense is 100% local and offline. Your code never leaves your machine. No telemetry, no cloud scanning, no external APIs.

How does FivoSense handle false positives?

FivoSense learns code flow and context to minimize false positives. You can suppress findings with inline comments and configure severity levels per vulnerability type.

Can FivoSense run inside CI/CD pipelines?

Yes. FivoSense exits with standard code status `1` whenever security issues are found. It is designed to plug directly into GitHub Actions, GitLab CI, or local custom post-receive hooks.

Secure Your Codebase in 15 Seconds

Find vulnerabilities before hackers do.

Scan your repositories 100% locally with zero cloud dependencies.

Read Quickstart Docs View GitHub Repository