FivoSense
One command. 15 seconds. Every vulnerability found. FivoSense is a 100% local, zero-telemetry security scanner that proves real exploits in JavaScript & TypeScript.
From Grade F to Grade A in 60 Minutes
A simple before-and-after comparison of a repository secured with FivoSense.
| Security Parameters | Before FivoSense | After FivoSense (1 hour later) |
|---|---|---|
| Security Score | 20/100 (Grade F) | 95/100 (Grade A) |
| SQL Injections | 5 unpatched vulnerabilities | 0 (Fixed & Verified) |
| Hardcoded Secrets | 7 secrets in source code | 0 (Moved to environment variables) |
| XSS Vulnerabilities | 4 unpatched flows | 0 (Fixed) |
| Command Injections | 3 critical sinks exposed | 0 (Sanitized) |
| Path Traversal Risks | 2 local file vulnerabilities | 0 (Fixed) |
| Developer Peace of Mind | Sleepless nights | Sleep like a baby 😴 |
How FivoSense Compares
Why security researchers and developers prefer FivoSense over traditional cloud scanners or simple ChatGPT prompts.
| Feature / Metric | ChatGPT Security Prompts | Traditional Cloud Scanners | FivoSense |
|---|---|---|---|
| Approach | Reads code as raw text, guesses patterns | Heavy cloud-based static scanning | Local deep-code understanding |
| Results | "Might be vulnerable..." | 500 warnings (400 false positives) | "IS vulnerable, exact line number" |
| Verification | None | Partial documentation | Exact line + exploit proof |
| Proof of Concept | None | None | Generates working PoC exploit |
| Scanning Speed | Copy-paste 1 file at a time | Several minutes per branch scan | 100 files in under 15 seconds |
| Code Privacy | Uploads source code to OpenAI/Anthropic | Transmits code to scanner cloud platforms | 100% Local (Never leaves machine) |
| Costs | $20/month subscription | $25 - $100/month per seat | Free & Open-Source (MIT) |
What FivoSense Detects
433 security patterns across 20 distinct categories checked on every keystroke.
SQL Injection
Prevents attackers from bypassing query syntax parameters to read or modify your database tables.
Critical SeverityCommand Injection
Blocks dangerous system shells from executing untrusted input arguments from user requests.
Critical SeverityHardcoded Secrets
Scans code for leaked OpenAI keys, AWS access tokens, PostgreSQL credentials, and Stripe tokens.
High SeverityPath Traversal
Identifies insecure filesystem functions allowing attackers to view files outside public folders.
High SeveritySSRF Attacks
Finds HTTP client calls that can be coerced to request resources from your secure internal VPC servers.
High SeverityPrototype Pollution
Finds object mutations where raw input arguments can compromise standard Node.js prototypes.
Critical Severity55+ Secret Types Scanned
Detects a wide variety of static credentials before they are pushed to GitHub:
- AI Providers: OpenAI keys (`sk-proj-...`), Anthropic API tokens
- Cloud Platforms: AWS IDs (`AKIA...`), Google Cloud service tokens, Firebase configs
- SaaS integrations: Stripe private keys, Shopify webhooks, Slack incoming tokens
- Database Connections: MongoDB, PostgreSQL connection URIs containing clear passwords
58+ Destructive Commands Blocked
Blocks queries or CLI runs attempting file system or database wipes:
- File Wipes: `rm -rf /`, `mkfs`, `shred` operations
- Database Purges: `DROP TABLE`, `TRUNCATE`, or `DELETE` queries missing conditional constraints
- Container Wipes: Docker container terminations or K8s namespace sweeps
- Privilege Escapes: `chmod 777` permissions and SUID sudoers overrides
Features Engineered for Modern Teams
Security shouldn't feel like a chore. We built tools developers actually want to use.
Roast Mode
Use `--roast` to get an direct, humorous analysis of your security flaws. Turn audit warnings into an entertaining team experience.
fivosense --roast src/api.js
Security Grading Badge
Verify your code grade (Grade A+ to F) on every local save. Show your compliance scores inside your repository README files.
fivosense --badge src/app.js
Git Pre-Push Gate
Installs as a pre-push Git hook. Automatically blocks commits containing active security vulnerabilities from reaching main branches.
# git push blocked on vulnerabilities
IDE Extension Integration
Highlight syntax errors and insecure lines directly inside VS Code, Cursor, or JetBrains editors as you type. Catch flaws long before review pipelines.
AI Agent MCP Server
Exposes a Model Context Protocol tool layer. Ask Claude Desktop or local LLM agents: "Is my workspace code secure?" to run scanning routines instantly.
Frequently Asked Questions
Find technical details about FivoSense scanner capabilities.
Is FivoSense really free?
Yes. FivoSense is fully open-source under the MIT license. There are no subscriptions, local account restrictions, or limits on local codebase scanning. Forever free.
Does it send my codebase details to any cloud servers?
No. FivoSense executes entirely on your workstation CPU. It runs zero background cloud synchronization, key uploads, or telemetry logs (unless you configure your own custom OpenAI endpoint to parse security suggestions).
Which languages are supported?
FivoSense supports JavaScript (`.js`, `.jsx`, `.mjs`) and TypeScript (`.ts`, `.tsx`). It analyzes code logic rather than simple text pattern matching.
What types of vulnerabilities does FivoSense detect?
SQL injection, XSS, command injection, path traversal, hardcoded secrets, authentication bypasses, insecure deserialization, and data exposure vulnerabilities. It also flags risky patterns in dependencies and configuration.
Can I use FivoSense in CI/CD pipelines?
Yes. FivoSense runs entirely locally with no external dependencies, making it ideal for GitHub Actions, GitLab CI, Jenkins, or any CI/CD system. Exit codes and machine-readable output support automated policy enforcement.
Is my code sent anywhere?
No. FivoSense is 100% local and offline. Your code never leaves your machine. No telemetry, no cloud scanning, no external APIs.
How does FivoSense handle false positives?
FivoSense learns code flow and context to minimize false positives. You can suppress findings with inline comments and configure severity levels per vulnerability type.
Can FivoSense run inside CI/CD pipelines?
Yes. FivoSense exits with standard code status `1` whenever security issues are found. It is designed to plug directly into GitHub Actions, GitLab CI, or local custom post-receive hooks.
Find vulnerabilities before hackers do.
Scan your repositories 100% locally with zero cloud dependencies.