Every developer knows the pain of running a security scan. You wait for it to finish, only to be handed a giant report filled with hundreds of warnings. You then have to spend the next three hours manually testing each one, only to find out that almost all of them are false positives.
It is a massive waste of time, and it makes people ignore security alerts entirely.
I wanted a tool that actually proved its findings before telling me about them. Since I could not find a lightweight, open-source scanner that did this, I decided to build VScanX.
How it works under the hood
Instead of just checking if a header is missing or searching for static text, VScanX focuses on active validation.
When it finds a potential vulnerability, it triggers a background process to safely exploit it. If it successfully triggers the exploit, it saves the exact HTTP requests and responses as a proof of concept. If it cannot prove that the vulnerability is actually exploitable, it simply does not report it.
This means if VScanX alerts you to an issue, you can trust that it is real and reproducible.
What it scans
I wanted the tool to cover the full stack of applications I work on, so I built modules for:
Web Apps: SQL injection, XSS, IDOR, and exposed secrets in JavaScript.
Smart Contracts: Reentrancy loops and access control issues.
AI Sandbox: Prompt injection and code execution escapes for LLM apps
It also has a local Next.js documentation dashboard so you can view your scan results, compare diffs between two different runs to see what changed, and manage everything privately on your own machine.
Give it a try
The project is completely free and open source. If you want to check out the code, run a scan on your local projects, or contribute, the repository is on GitHub:
I would love to hear your feedback on the verification logic or how you handle security sweeps in your own workflows.
Top comments (0)