Cybersecurity isn't just for ops teams anymore. As developers, we ship code that handles user data, processes file uploads, and talks to external services. The tools below will help you build safer applications — from scanning malware in uploaded files to auditing your dependencies.
1. 🍋 pompelmi — Antivirus Scanning for Node.js
Website: pompelmi.app | npm: pompelmi | License: ISC
If your Node.js application accepts file uploads, pompelmi is the tool you didn't know you needed.
It's a minimal, zero-dependency wrapper around ClamAV that lets you scan any file path and get back a clean, typed result — no daemons, no cloud calls, no native bindings.
const { scan, Verdict } = require('pompelmi');
async function scanUpload(filePath) {
const result = await scan(filePath);
if (result === Verdict.Malicious) {
throw new Error('Upload rejected: malware detected');
}
return result; // Verdict.Clean | Verdict.Malicious | Verdict.ScanError
}
What makes it special:
-
One function — just call
scan(path)and await a typedVerdictSymbol -
Zero runtime dependencies — uses Node's built-in
child_process - Cross-platform — works on macOS, Linux, and Windows
-
No daemon required — invokes
clamscandirectly, no background process to manage - Exit-code mapped — no stdout parsing, no brittle regex
Install it in seconds:
npm install pompelmi
# macOS
brew install clamav && freshclam
# Linux
sudo apt-get install -y clamav clamav-daemon && sudo freshclam
If you're building an API that accepts PDFs, images, or documents from untrusted users, pompelmi is a one-liner that can save you from a catastrophic malware incident.
🔗 Full docs, Docker guide, and API reference at pompelmi.app
2. 🔍 Snyk — Find and Fix Vulnerabilities in Your Code
Website: snyk.io | Free tier: Yes
Snyk is one of the most developer-friendly security tools available. It scans your project's dependencies (npm, pip, Maven, etc.), your container images, and even your Infrastructure-as-Code files for known vulnerabilities.
What stands out is the fix PRs feature — Snyk can automatically open a pull request to upgrade a vulnerable dependency. It integrates directly into GitHub, GitLab, and VS Code.
npm install -g snyk
snyk auth
snyk test
Best for: Continuous dependency vulnerability scanning in CI/CD pipelines.
3. 🛡️ OWASP ZAP — The Classic Web App Scanner
Website: zaproxy.org | License: Apache 2.0
The OWASP Zed Attack Proxy (ZAP) is a battle-tested, open-source web application security scanner maintained by OWASP. It can find XSS, SQL injection, CSRF, and dozens of other vulnerabilities by actively probing your running app.
It comes with both a GUI and a headless/CLI mode, making it easy to embed into your CI pipeline.
Best for: Integration and regression security testing of web apps before deployment.
4. 🔐 Vault by HashiCorp — Secrets Management
Website: vaultproject.io | License: BSL 1.1 / open-source editions available
Hardcoded secrets in your codebase are a ticking time bomb. HashiCorp Vault gives you a centralized, auditable secrets store with fine-grained access control.
It supports dynamic secrets (credentials that are generated on demand and auto-expire), encryption as a service, and integrations with AWS, Kubernetes, and more.
vault kv put secret/myapp db_password="supersecret"
vault kv get secret/myapp
Best for: Teams managing API keys, database credentials, and certificates across multiple services.
5. 🧱 Helmet.js — HTTP Security Headers for Express
Website: helmetjs.github.io | npm: helmet
A surprising number of web vulnerabilities are mitigated simply by setting the right HTTP response headers. Helmet is a tiny Express middleware that sets headers like Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, and more.
const express = require('express');
const helmet = require('helmet');
const app = express();
app.use(helmet());
One line of code. Massive security improvement. No excuses.
Best for: Any Node.js/Express application serving a frontend.
6. 🕵️ Trivy — Container & IaC Vulnerability Scanner
Website: trivy.dev | License: Apache 2.0
If you ship Docker containers, Trivy by Aqua Security is the go-to scanner. It checks OS packages, language-specific packages, IaC misconfigurations, and even secrets accidentally baked into your image layers.
trivy image node:18-alpine
trivy fs ./myproject
It's fast, has zero configuration for basic use, and integrates cleanly with GitHub Actions and other CI systems.
Best for: Scanning container images and repositories before pushing to production.
7. 🔎 Semgrep — Static Analysis That Doesn't Suck
Website: semgrep.dev | Free tier: Yes
Semgrep is a fast, lightweight static analysis tool that lets you write rules in a syntax that closely mirrors the code you're analyzing. It supports 30+ languages and comes with thousands of community rules for catching common security bugs.
semgrep --config=p/security-audit ./src
Unlike traditional SAST tools, Semgrep rules are readable and easy to customize — you can write your own rule in minutes to enforce team-specific security patterns.
Best for: Catching security bugs and anti-patterns during code review and CI.
8. 🌐 Burp Suite Community Edition — Manual Pen Testing
Website: portswigger.net/burp | Free tier: Community Edition
Burp Suite is the industry standard for manual web application penetration testing. It acts as a proxy between your browser and the server, letting you intercept, inspect, and modify HTTP/S requests in real time.
The Community Edition is free and includes the intercepting proxy, repeater, decoder, and intruder tools — everything you need to manually probe your own app for logic flaws and injection points.
Best for: Deep-dive manual security testing and bug bounty research.
9. 🔑 age — Modern File Encryption
Website: age-encryption.org | License: BSD 3-Clause
age (pronounced like the word) is a modern, simple file encryption tool and Go library. It's designed as a safer replacement for GPG, with a much simpler interface and no key management footguns.
# Encrypt a file
age -r $RECIPIENT_PUBLIC_KEY secret.txt > secret.txt.age
# Decrypt it
age -d -i ~/.ssh/id_ed25519 secret.txt.age > secret.txt
Best for: Encrypting secrets files, backups, and config files before storing or transmitting them.
10. 📋 npm audit — The One You're Already Ignoring
Built into npm | Free
Okay, this one's a reminder, not a discovery. npm audit is built into every npm installation and checks your dependency tree against the GitHub Advisory Database for known CVEs.
npm audit
npm audit fix
npm audit fix --force # upgrades breaking changes too
The dirty secret is that most developers run it once and then ignore the warnings. Make it part of your CI pipeline with npm audit --audit-level=high to fail builds on high-severity issues. No excuses — it's already installed.
Best for: Every single Node.js project, every single time.
Summary Table
| Tool | Category | Language/Platform | Free? |
|---|---|---|---|
| pompelmi | Malware scanning | Node.js | ✅ |
| Snyk | Dependency scanning | Polyglot | ✅ (tier) |
| OWASP ZAP | Web app scanning | Any | ✅ |
| HashiCorp Vault | Secrets management | Any | ✅ (OSS) |
| Helmet.js | HTTP headers | Node.js/Express | ✅ |
| Trivy | Container scanning | Docker/IaC | ✅ |
| Semgrep | Static analysis | 30+ languages | ✅ (tier) |
| Burp Suite | Pen testing | Web | ✅ (CE) |
| age | File encryption | Any | ✅ |
| npm audit | Dependency audit | Node.js | ✅ |
Final Thoughts
Security doesn't have to be overwhelming. These ten tools cover the most common attack surfaces a typical application exposes: vulnerable dependencies, insecure headers, unscanned uploads, leaked secrets, and misconfigured containers.
Start with the ones closest to your stack. If you're building a Node.js API that accepts file uploads, pompelmi is the first tool you should add today — it's a npm install away and could be the difference between a safe app and a headline.
Found this useful? Drop a ❤️ and share it with your team. Security is everyone's job.
Top comments (0)