Security scanner for vibe-coded apps. Catch what Copilot ships and Snyk overcharges for.
pip install critik
critik scan .- Hardcoded secrets — AWS keys, API tokens, database URLs, private keys (16 patterns)
- SQL injection — f-strings and string concatenation in execute() calls
- Command injection — eval(), exec(), os.system(), subprocess with shell=True
- XSS vectors — dangerouslySetInnerHTML, document.write(), eval() in JS
- Missing auth — FastAPI/Express routes without authentication middleware
- Insecure config — DEBUG=True, CORS wildcard, insecure cookies
- Exposed .env — real secrets in .env files, missing .gitignore entries
# Scan current directory
critik scan .
# Scan specific path
critik scan ./src
# JSON output (for CI/CD)
critik scan . --format json
# Only show critical and high
critik scan . --severity high
# Quiet mode (summary only)
critik scan . --quiet0— No critical or high findings1— Critical or high findings detected2— Scanner error
- Python (.py)
- JavaScript (.js, .jsx)
- TypeScript (.ts, .tsx)
- Environment files (.env)
- Config files (.json, .yaml, .toml)
Create a .critikignore file in your project root:
# Skip test fixtures
tests/fixtures/*
# Skip generated code
generated/*
Add to .github/workflows/critik.yml:
name: Critik
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.12'
- run: pip install critik
- run: critik scan .For GitHub Code Scanning integration (findings appear inline on PRs):
- run: critik scan . --format sarif > critik.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: critik.sarif53% of teams that shipped AI-generated code discovered security issues that passed review. The vibe coding era needs a security scanner that's:
- Fast — scans in milliseconds, not minutes
- Offline — no API calls, no code leaving your machine
- Free — open source, zero dependencies
- Focused — catches real issues, not style nits
MIT