02 MMXXVI Live · OSS Node.js · MIT

Bastion

A security scanner you can run on your own machine. Free, open source, and built for people shipping a lot of AI-written code.

Why I built it

A lot of code being shipped right now is written with AI help, and a lot of it has basic security problems. Hardcoded API keys, missing headers, CORS policies that are wide open. Two pieces of research underline the scale of the problem. A 2021 NYU study (Pearce et al.) found roughly 40% of GitHub Copilot completions in security-sensitive contexts contained vulnerabilities. A 2022 Stanford study (Perry et al.) found that developers using AI assistants wrote significantly less secure code, and were more likely to believe it was secure. The tools that catch this kind of thing start at £300 a month, which rules out most indie developers and small teams.

Bastion is what I wanted to exist. You run npx bastion-scan, it checks your project across fifteen common security gaps in a few seconds, and writes a fix prompt for each one. Paste that prompt into Claude or ChatGPT and you can ship the fix the same afternoon.

It's MIT licensed and open source. Nothing uploads anywhere, no accounts, nothing leaves your machine. It scans itself at 100 out of 100 and ships with npm provenance. There's a Pro tier that adds more checks and a dashboard, but the scanner itself is free and will stay that way.

npx bastion-scan scan Try it now

What it checks

C.01

Config and secrets

Checks your .gitignore, validates your .env.example, and finds hardcoded API keys across fifteen patterns: OpenAI (legacy and project), Anthropic, GitHub tokens, AWS, Stripe, Google, Slack, and more, before they end up in your repo.

C.02

Security headers and transport

Looks at CSP, HSTS, X-Frame-Options, and X-Content-Type-Options. Checks your SSL certificate expiry, TLS version, and HTTPS redirects. The basic stuff browsers expect to see.

C.03

CORS, rate limiting, and auth

Flags wildcard CORS paired with credentials, missing rate-limit middleware, and API routes that don't have any auth in front of them.

C.04

Code patterns and dependencies

Looks for SQL strings being concatenated, uses of eval(), and runs a full npm audit with CVE references and the version you need to upgrade to.

C.05

Fix prompts for your LLM

Every failing check comes with a prompt written for your specific stack. Paste it into Claude or ChatGPT, get the fix, ship it.

The stack

Node.js TypeScript CLI OWASP MIT License npm provenance Lemon Squeezy

Elsewhere

↗ Website bastion.wiki → { } Source · MIT github.com/absastreon/bastion → ✓ Free tool Security checklist → § Guide OWASP primer → £ Plans Pricing & Pro → ◨ For users Project dashboard →

N° 03 · Next record

ParkMoto

→