AI-powered code security scanner — catch what Copilot ships and Snyk overcharges for
Project description
Critik
Security scanner for vibe-coded apps. Catch what Copilot ships and Snyk overcharges for.
pip install critik
critik scan .
What it catches
- Hardcoded secrets — AWS keys, API tokens, database URLs, private keys (16 patterns)
- SQL injection — f-strings and string concatenation in execute() calls
- Command injection — eval(), exec(), os.system(), subprocess with shell=True
- XSS vectors — dangerouslySetInnerHTML, document.write(), eval() in JS
- Missing auth — FastAPI/Express routes without authentication middleware
- Insecure config — DEBUG=True, CORS wildcard, insecure cookies
- Exposed .env — real secrets in .env files, missing .gitignore entries
Usage
# Scan current directory
critik scan .
# Scan specific path
critik scan ./src
# JSON output (for CI/CD)
critik scan . --format json
# Only show critical and high
critik scan . --severity high
# Quiet mode (summary only)
critik scan . --quiet
Exit codes
0— No critical or high findings1— Critical or high findings detected2— Scanner error
Supported languages
- Python (.py)
- JavaScript (.js, .jsx)
- TypeScript (.ts, .tsx)
- Environment files (.env)
- Config files (.json, .yaml, .toml)
Ignore patterns
Create a .critikignore file in your project root:
# Skip test fixtures
tests/fixtures/*
# Skip generated code
generated/*
GitHub Action
Add to .github/workflows/critik.yml:
name: Critik
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.12'
- run: pip install critik
- run: critik scan .
For GitHub Code Scanning integration (findings appear inline on PRs):
- run: critik scan . --format sarif > critik.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: critik.sarif
Why Critik?
53% of teams that shipped AI-generated code discovered security issues that passed review. The vibe coding era needs a security scanner that's:
- Fast — scans in milliseconds, not minutes
- Offline — no API calls, no code leaving your machine
- Free — open source, zero dependencies
- Focused — catches real issues, not style nits
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file critik-0.4.0.tar.gz.
File metadata
- Download URL: critik-0.4.0.tar.gz
- Upload date:
- Size: 34.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
779b9e86f5528c601f68dbb5a1de407c983ce66ed6bf259c3765145943e344be
|
|
| MD5 |
79f4b799374064ac1e98971e22fd245e
|
|
| BLAKE2b-256 |
0cf0ae999ce46cced40292896e2296b1e3e4030322132afb46169e3a98c2cc3b
|
File details
Details for the file critik-0.4.0-py3-none-any.whl.
File metadata
- Download URL: critik-0.4.0-py3-none-any.whl
- Upload date:
- Size: 45.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a0d046db55d157274ce7245188ebf2347b58edd342704e21f905ab0cf9f2ba83
|
|
| MD5 |
8a1de55b4902905a4c59b64255e78e0c
|
|
| BLAKE2b-256 |
f7983db9425c005f9dc41d3b5d1e6aafbc1522342aae1744c268629aac252857
|
