I Turned My npm Package Into a Full DevOps Security Toolkit (v2.0.0)

I Turned My npm Package Into a Full DevOps Security Toolkit (v2.0.0)

# opensource# devops# security# typescript
I Turned My npm Package Into a Full DevOps Security Toolkit (v2.0.0)Nevin-Bali100

A few weeks ago I published dep-inspector-cli — a dependency analyzer for Node.js projects. It went...

A few weeks ago I published dep-inspector-cli — a dependency analyzer for Node.js projects. It went from 107 → 240 weekly downloads in a day, which honestly surprised me.
But the more I used it in real projects, the more I kept thinking: dependency scanning is just one piece. What about secrets, Docker misconfigs, broken CI pipelines?
So I rebuilt it. v2.0.0 is out now — and it's a completely different tool.

What changed
v1 did one thing: dependency + vulnerability analysis.
v2 does six:

The features in detail
🔐 scan:secrets — what it catches
This one I'm most proud of. It scans your entire codebase for:

  • AWS Access Keys & Secret Keys
  • OpenAI, Groq, GitHub tokens
  • Hardcoded JWT secrets
  • MongoDB / PostgreSQL connection strings with credentials
  • Stripe & Razorpay live keys (not test keys)
  • Generic password= / secret= assignments in source files
  • .env files not listed in .gitignore

The last one is important — it doesn't scan .env content (that's expected to have secrets), but it checks whether .env is gitignored. A surprising number of projects miss this.

dep-inspector scan:secrets

🔐 Secrets Scanner

✅ .env is gitignored
[HIGH] JWT Secret hardcoded
  File : src/middleware/auth.ts:12
  Code : const JWT_SECRET = "my-super-secret-key-123"
Enter fullscreen mode Exit fullscreen mode

🐳 scan:docker — Dockerfile analysis

dep-inspector scan:docker

🐳 Docker Analysis

[HIGH]   No non-root USER defined — container runs as root
[MEDIUM] No HEALTHCHECK instruction
[MEDIUM] Using ':latest' tag — not reproducible, pin a specific version
[LOW]    npm install without --omit=dev — devDependencies included in image
Enter fullscreen mode Exit fullscreen mode

Checks for:

  • Container running as root
  • Missing HEALTHCHECK
  • :latest tag (non-reproducible builds)
  • Secrets in ENV/ARG
  • Missing .dockerignore
  • Single-stage builds

⚙️ scan:ci — GitHub Actions linting
This one catches things that are easy to miss in CI configs:

dep-inspector scan:ci

⚙️  CI/CD Pipeline Analysis

[HIGH]   deploy.yml: Deprecated '::set-output' — replace with $GITHUB_OUTPUT
[HIGH]   pr.yml: pull_request_target + actions/checkout is a privilege escalation risk
[MEDIUM] build.yml: Actions using @main — pin to a specific version
[LOW]    build.yml: No caching configured — builds will be slow
The pull_request_target + actions/checkout combination is a real security issue that's bitten several open source projects. Good to catch it early.
Enter fullscreen mode Exit fullscreen mode

🔌 scan:ports — port monitor

dep-inspector scan:ports

🔌 Port & Process Monitor

[WARN] :27017 — Port 27017 is publicly exposed — restrict to localhost
[WARN] :6379  — Port 6379 is publicly exposed — restrict to localhost
[OK]   :3000
[OK]   :443
Enter fullscreen mode Exit fullscreen mode

Flags database ports (MongoDB, Redis, PostgreSQL, MySQL) that are exposed on 0.0.0.0 instead of localhost. Works on both Linux and Windows.

📋 scan:logs — logger health

dep-inspector scan:logs

📋 Logger Health Check

✅ winston detected
⚠️  winston-daily-rotate-file not found — logs may grow unbounded
⚠️  LOG_LEVEL not set in .env — logger may default to verbose in production
Enter fullscreen mode Exit fullscreen mode

Zero AI dependency by default
v1 had a problem: if you didn't have GROQ_API_KEY, the tool felt incomplete. Several people mentioned this in feedback.
v2 fixes it properly. Every scan is pure static analysis — regex, file parsing, CLI wrappers. No API calls, no keys, works offline, works in CI.
The --ai flag is additive:

# Works for everyone
dep-inspector scan:secrets

# Optional enhanced output if you have a Groq key
dep-inspector scan:secrets --ai
Enter fullscreen mode Exit fullscreen mode

I also dropped LangChain entirely and moved to the official groq-sdk. Fewer dependencies, no transitive vulnerabilities, faster installs.

CI/CD integration

yaml# .github/workflows/security.yml
name: Security Scan
on: [push, pull_request]

jobs:
  dep-inspector:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npm install -g dep-inspector-cli
      - run: dep-inspector scan:secrets --json > secrets.json
      - run: dep-inspector scan:ci
      - uses: actions/upload-artifact@v4
        with:
          name: security-reports
          path: "*.json"
Enter fullscreen mode Exit fullscreen mode

Fail build on HIGH severity findings:

bashdep-inspector scan:secrets --json | node -e "
  let d = '';
  process.stdin.on('data', c => d += c);
  process.stdin.on('end', () => {
    const { findings } = JSON.parse(d);
    const high = findings.filter(f => f.severity === 'HIGH').length;
    if (high > 0) { process.exit(1); }
  });
"
Enter fullscreen mode Exit fullscreen mode

What's next

  • 1. .git history scanning (catch secrets that were deleted but still in history)
  • 2. scan:docker — docker-compose multi-service analysis
  • 3. --report flag — HTML report with charts
  • 4. Custom rules via .depinspectorrc

Try it:

npm install -g dep-inspector-cli
cd your-project
dep-inspector scan:all
Enter fullscreen mode Exit fullscreen mode

📦 npm: npmjs.com/package/dep-inspector-cli
🐙 GitHub: github.com/Nevin100/Dep-inspector-cli
If it's useful, a ⭐ on GitHub helps a lot. Issues and PRs are open