yhlsec

yhlsec

CLI security checker for directories / single files / zip archives.

Requirements

• Node.js >= 18

Install

npm i -g yhlsec

This provides the yhlsec command.

Quick start

Scan current directory:

yhlsec

Scan a directory and write JSON report:

yhlsec ./dist --output report.json

Write HTML report:

yhlsec ./dist --output report.html

Scan a zip archive:

yhlsec ./archive.zip --output report.json

Scan a single file:

yhlsec ./src/app.js

Output formats

• Stdout (when --output is omitted): --format text|json (default: text)
• File output (when --output is set):
  • .html / .htm -> HTML
  • .json -> JSON
  • other extensions -> JSON

CI / exit codes

• Exit code 0: scan completed and did not meet the fail threshold
• Exit code 2: max severity met/exceeded the threshold

Examples:

yhlsec ./src --ci-fail-on-high
yhlsec ./src --fail-on medium

Configuration

Config file names:

• .yhlsec.json
• yhlsec.config.json

Resolution order:

• --config <path> if provided
• search upwards from the target directory
• search upwards from current working directory

Generate a full example config:

yhlsec init-config

Write to a custom path:

yhlsec init-config -w yhlsec.config.json

What it checks

• Built-in rules (glob / regex / string / meta)
• External engines (configurable):
  • @ziul285/gitleaks (secret scanning)
  • npm audit (dependency vulnerabilities)
  • OSV API (dependency vulnerabilities)
  • retire (vulnerable JS libraries)
• Risk package denylist (from lockfiles)
• Zip Slip risk (unsafe zip entry paths)