KitScan is a local, web-based security scanner for source code projects.
Explainable by design. Findings are shown with severity, file location, remediation guidance, and references you can use to validate the result.
KitScan combines static analysis with dependency vulnerability scanning:
- Phase A: fast baseline scan — static analysis rules plus dependency vulnerability lookup via OSV.dev.
- Phase B: deeper source scan to validate/refine findings and reduce noise.
After scanning, the UI shows:
- grouped findings with counts (and expandable file locations)
- a severity chart (pie/bar toggle)
- a Combined / Phase A only / Phase B only view mode toggle
- a final actionable list
- a copy-ready AI remediation prompt for each selected finding
- references to OWASP, CWE, NVD, and other resources per finding
- Node.js 20+
- npm
From the project root:
./installThis installs dependencies and builds the production app.
From the project root:
./kitscanYou will see:
Your Web UI is accessible at: http://localhost:<port>
Open that URL in your browser.
./kitscan --help
./kitscan -p 3001
./kitscan --port 8080- Open the UI and go to New Scan.
- Enter the absolute path to your project root and click Mount directory.
- Run Phase A (or click Run All Phases to run both sequentially).
- Run Phase B for deeper analysis.
- Use the view mode toggle to see Combined, Phase A only, or Phase B only results.
- Review grouped findings and expand rows for exact file locations.
- Copy the AI remediation prompt for any finding to get targeted fix suggestions.
KitScan uses deterministic static analysis rules, heuristics, and a live CVE database lookup. It is meant for fast scanning and fixes, but it is not a complete replacement for manual review, runtime testing, or a full penetration test.
Use it as a practical security tool, not a final security guarantee.