This is a submission for the GitHub Copilot CLI Challenge
What I Built
scry is a command-line security scanner that reveals hidden risks in JavaScript and Node.js codebases. It detects 8 critical vulnerability categories and provides:
- Clear explanations of why each issue matters
- Actionable fixes with secure code examples
- Educational context for developers learning security best practices
- Multiple output formats (table, JSON, markdown, compact) for flexible CI/CD integration
The tool scans for hardcoded secrets, JWT token misuse, insecure cookies, dangerous eval() usage, CORS misconfiguration, exposed environment files, weak cryptography, and poor password handling. All common pitfalls that security tools often miss in real world codebases.
How I Built It
Tech Stack: TypeScript, Node.js, Bun (runtime)
Architecture: Rule based detection engine with modular security rules, configurable patterns, and file scanning with severity filtering.
I created scry because most security scanners either overwhelm developers with noise or fail to educate them on why something is risky. scry balances these by providing focused, high signal security findings with educational explanations that help developers understand vulnerabilities, not just fix them.
See It In Action
Table Output (default):
With Explanations (--explain):
JSON Output (--output json):
Compact Output (--output compact):
Markdown Output (--output markdown):
How GitHub Copilot CLI Helped
This is where GitHub Copilot CLI made a massive difference. Rather than manually researching and implementing everything, Copilot helped me in three critical ways:
1. Structured Security Research (Password Handling Plan)
I asked Copilot CLI: "What are practices considered poor password handling?"
Instead of getting a wall of text, Copilot organized vulnerabilities into actionable categories:
Storage Issues:
- Plaintext password storage
- Weak hashing (MD5, SHA1)
- Missing/reused salts
Transmission Problems:
- HTTP vs HTTPS exposure
- Passwords in logs or URLs
- Client side leaks
Implementation Flaws:
- No rate limiting on login attempts
- Weak password requirements
- Custom crypto implementations
This structure directly informed my detection rules each category became a specific regex pattern in the passwordSecurity rule. Instead of 3 hours of scattered research, I had a structured implementation roadmap in minutes.
Key insight: Copilot's categorization was far better than raw OWASP lists because it mapped directly to detectable patterns in code.
see full research: 
2. Comprehensive Code Auditing (Critical Bug Discovery)
Using Copilot CLI for holistic code analysis, I discovered critical issues that would take 10+ hours of manual review to find:
-
Regex State Management Bug: Global regex patterns with the
/gflag reused across loop iterations, causing inconsistent results JavaScript specific behavior nearly invisible without cross file analysis - Silent Error Swallowing: File read failures caught in try catch but never logged, causing scan failures to go completely undetected
- Regex DoS Vulnerability: Backtracking patterns susceptible to denial of service attacks on adversarial input
- False Positive Floods: 40 character hex patterns matching Git commit SHAs, flooding results with noise
These issues are extremely difficult for humans to spot because they require:
- Cross file context and async pattern recognition
- Regex/JavaScript runtime expertise
- Security mindset for adversarial input thinking
After fixing these critical issues guided by Copilot's analysis:
- [+] Eliminated 40% false positives in findings
- [+] Ensured scan reliability (no silent failures)
- [+] Prevented DoS vulnerabilities
See full analysis: docs/copilot workings/code-analysis-for-improvements/notes.md
3. Implementation Planning with AI Insights
For complex features like password handling detection, I used Copilot to think through edge cases and implementation details before coding. This prevented costly refactors and ensured the detection rules covered real world vulnerable patterns, not just theoretical ones.
Installation & Usage
Install from npm:
# Global installation
npm install -g @johsam-f/scry
# Or use with npx (no installation required)
npx @johsam-f/scry scan .
Basic commands:
# Scan current directory
scry scan .
# Scan specific path
scry scan ./src
# Show explanations and fixes
scry scan . --explain --fix
# Output as JSON for CI/CD
scry scan . --output json
# Strict mode (exit code 1 if issues found)
scry scan . --strict
For a complete command reference, see commands.md.
What scry Detects (8 Security Rules)
- Hardcoded Secrets - API keys, tokens, AWS credentials
- JWT in Client Storage - localStorage/sessionStorage token exposure
- Insecure Cookies - Missing httpOnly, secure, sameSite flags
- eval() Usage - Dangerous dynamic code execution
- CORS Misconfiguration - Overly permissive allow-origins
- .env Exposure - Credentials in version control
- Weak Cryptography - MD5, SHA1, unsalted hashing
- Password Security - Plaintext storage, weak validation, insecure transmission
Example Output
Severity | Rule | File | Line | Message
---------|--------------------| --------------|------|---------------------
HIGH | hardcoded-secrets | src/config.ts | 14 | Hardcoded API key
HIGH | jwt-storage | src/auth.ts | 28 | JWT in localStorage
MEDIUM | cors-config | src/server.ts | 45 | Permissive CORS
β Summary: 3 issues found in 847 files (2.3s)
Vulnerable Code Example
Here's code that scry detects:
// Password Security Issue
const users = {
admin: "password123", // [x] scry flags: plaintext password storage
user: "letmein" // [x] weak password
};
// Hardcoded Secrets
const apiKey = "ghp_abcd1234efgh5678ijkl9012mnop3456qrst"; // [x] GitHub token exposed
// JWT Misuse
localStorage.setItem('token', jwtToken); // [x] JWT in client-side storage
// Insecure Cookies
res.setHeader('Set-Cookie', `session=${token}`); // [x] Missing httpOnly flag
// CORS Problem
app.use(cors({ origin: '*' })); // [x] Allows all origins
scry catches all of these and provides fix suggestions with secure alternatives.
Key Learnings
When Building Security Tools, AI Helps Most With:
- Comprehensive Analysis - AI can audit entire codebases for subtle cross-file bugs that humans miss in isolated code review
- Security Research - Structuring vulnerability categories helps map abstract security concepts to detectable patterns
- Edge Case Discovery - AI patterns can surface non-obvious issues (regex state mutations, silent errors) that only emerge through holistic analysis
- Implementation Planning - Thinking through complex features before coding prevents costly refactors
Important Development Principle:
During this project, I learned that avoiding parallel implementations is critical when using AI assistance. Implementing multiple features simultaneously with AI help leads to confusion and makes it harder to track changes and identify issues. By focusing on one implementation at a time and thoroughly testing each change, I maintained code quality and clarity.
Beyond the Tool:
Building scry taught me that security tools work best when they educate, not just alert. Developers shouldn't just fix vulnerabilities they should understand why they matter. That's where good tooling and clear explanations create lasting impact.
The Full Story
The detailed documentation of how I used GitHub Copilot CLI including screenshots, prompts, analysis results, and implementation decisions is available in the repository:
docs/copilot workings/ contains:
- Password handling strategy (password-handling-plan/)
- Critical bug audits (code-analysis-for-improvements/)
- Implementation planning notes with AI insights
- And much more!
Try It Out
scry is open source and ready to scan your codebase:
npx @johsam-f/scry scan .
Or install locally/globally from npm:
npm install -g @johsam-f/scry
npm install @johsam-f/scry
or without installation:
npx @johsam-f/scry scan .
Contributions welcome! GitHub Repo
Please feel free to ask, suggest improvements, give me some developer love, some advice, or whatever you feel like sharing with me, or just say hi!
This is a submission for the GitHub Copilot CLI Challenge
Top comments (0)