A powerful, modular terminal-focused website security scanner built with Node.js. Perform comprehensive security audits of websites through an interactive CLI interface with clean progress indicators and detailed reporting.
In today's digital landscape, web security is paramount. SentinelScan helps developers, security professionals, and website owners quickly identify common security vulnerabilities and misconfigurations. Unlike complex enterprise tools, SentinelScan is:
- Free and Open Source: No licensing fees or subscriptions
- Easy to Use: Simple CLI interface with interactive prompts
- Comprehensive: Covers 20 critical security checks
- Modular: Easily extensible with new security checks
- Fast: Runs checks sequentially with progress indicators
- Multiple Outputs: Generate reports in PDF, CSV, or JSON formats
- Privacy-Focused: Runs locally, no data sent to external servers
- Certificate validity and expiry date
- Issuer and subject information
- Detects expired or invalid certificates
- Content Security Policy (CSP)
- HTTP Strict Transport Security (HSTS)
- X-Frame-Options (clickjacking protection)
- X-Content-Type-Options (MIME sniffing protection)
- Referrer-Policy
- Permissions-Policy
- Tests allowed HTTP methods (GET, POST, PUT, DELETE, PATCH, OPTIONS)
- Identifies overly permissive configurations
- Scans for HTTP resources loaded on HTTPS pages
- Critical for maintaining secure connections
- Checks for robots.txt file
- Verifies sitemap.xml availability
- Important for SEO and crawler management
- Secure flag presence
- HttpOnly flag presence
- SameSite attribute configuration
- Provides ratios for each flag
- Basic reflected XSS vulnerability detection
- Tests for script injection via query parameters
- Tests for open redirect vulnerabilities
- Attempts parameter-based redirects to malicious domains
- Checks Cross-Origin Resource Sharing headers
- Detects overly permissive CORS policies that could lead to data theft
- Analyzes Server header for information leakage
- Identifies web server software and version disclosure
- Tests common directories for directory listing enabled
- Checks for exposed sensitive directories like /admin/, /backup/
- Tests for basic SQL injection vulnerabilities
- Injects common SQL payloads and checks for error responses
- Identifies potential database vulnerabilities
- Analyzes HTML forms for CSRF token presence
- Checks state-changing forms (POST, PUT, DELETE) for token protection
- Identifies forms vulnerable to Cross-Site Request Forgery
- Evaluates SSL/TLS cipher suite strength
- Checks for weak or deprecated ciphers
- Validates protocol version security
- Checks for DNSSEC implementation
- Validates CAA (Certificate Authority Authorization) records
- Tests SPF and DKIM record presence for email security
- Analyzes login forms for security weaknesses
- Checks for proper POST method usage
- Identifies missing username fields and insecure configurations
- Tests for X-Frame-Options header protection
- Checks CSP frame-ancestors directive
- Detects JavaScript frame-busting code
- Examines session cookies for security flags
- Checks for Secure, HttpOnly, and SameSite attributes
- Identifies overly long session expirations
- Scans for file upload forms and configurations
- Checks for proper enctype and method usage
- Tests for dangerous file type restrictions
- Makes 15 sequential requests with realistic delays (200ms between requests)
- Detects rate limiting, throttling, and progressive blocking mechanisms
- Analyzes response patterns and timing to identify security controls
- Checks for rate limiting headers (X-RateLimit-*) and Retry-After
- Identifies vulnerabilities to brute force attacks, DoS attacks, and API abuse
- Provides detailed response pattern analysis (first 5 vs last 5 requests)
- Node.js 14+ and npm
- Windows, macOS, or Linux
git clone <repository-url>
cd sentinelscan
npm installnpm start
# or
node src/cli.jsFollow the interactive prompts:
- Enter website URL (e.g.,
https://example.com) - Select security checks using spacebar and arrow keys
- Choose output format (PDF/CSV/JSON)
- Specify output directory (defaults to
./reports)
node src/cli.js <url> <checks> <format> <outputDir>--help, -h: Show help message with usage instructions--no-banner: Hide the SentinelScan banner--bulk-file <file>: Scan multiple URLs from a file (one URL per line)
# Show help
node src/cli.js --help
# Full scan with all checks
node src/cli.js https://example.com tls,headers,methods,mixedContent,robots,cookies,xss,openRedirect,cors,serverInfo,directoryListing,sqlInjection,csrf,sslCipher,dnsSecurity,brokenAuth,clickjacking,sessionManagement,fileUpload,rateLimiting JSON ./reports
# Quick SSL check only
node src/cli.js https://github.com tls JSON ./reports
# Security headers audit
node src/cli.js https://example.com headers PDF ./reports
# Bulk scanning multiple URLs
node src/cli.js --bulk-file urls.txt tls,headers JSON ./reports
# Hide banner for scripts
node src/cli.js --no-banner https://example.com all JSON ./reportsSentinelScan includes streamlined AI analysis powered by Groq API, providing focused, actionable security insights.
- Concise Security Summary: Brief, clear assessment of overall security posture
- Smart Rating System: A-F grade based on vulnerability severity and risk
- Color-Coded Risk Indicators: Visual severity indicators (π’ Low, π‘ Medium, π΄ High/Critical)
- Critical Issues Highlighting: Focus on the most important security problems
- Actionable Recommendations: 3 key steps to improve security
- Immediate Action Items: Urgent tasks to complete within 24 hours
- Interactive AI Chat: Ask detailed questions about scan results
- Security Rating: A-F grade with severity score (0-100)
- Risk Level: Critical/High/Medium/Low overall assessment with color indicators (π’ Low, π‘ Medium, π΄ High/Critical)
- Key Recommendations: 3 prioritized improvement actions
- Critical Issues: Most important vulnerabilities found
- Immediate Actions: Urgent 24-hour remediation tasks
- Get a Groq API key from groq.com
- Create
.envfile in project root:GROQ_API_KEY=your_api_key_here GROQ_MODEL=llama-3.3-70b-versatile
- Install dependencies:
npm install
After each scan, you'll be prompted to chat with AI about the results. You can also analyze existing reports:
# Analyze existing scan report
npm start --ai-analyze reports/security-scan-2025-10-28.json
# Or use the script
npm run ai-chat reports/security-scan-2025-10-28.jsonAsk questions like:
- "What are the most critical vulnerabilities?"
- "How do I fix the XSS vulnerability?"
- "What's the overall security rating?"
- "What should I do immediately?"
- "Can you explain the severity score?"
The AI provides concise, actionable responses (2-3 sentences max) focused on the most important insights.
sentinelscan/
βββ src/
β βββ cli.js # Entry point with banner
β βββ scanner.js # Main scanner logic
β βββ checks/ # Modular security checks
β β βββ tls.js # SSL/TLS validation
β β βββ headers.js # Security headers
β β βββ methods.js # HTTP methods
β β βββ mixedContent.js # Mixed content detection
β β βββ robots.js # Robots.txt & sitemap
β β βββ cookies.js # Cookie security
β β βββ xss.js # XSS testing
β β βββ openRedirect.js # Open redirect testing
β β βββ cors.js # CORS misconfiguration
β β βββ serverInfo.js # Server info disclosure
β β βββ directoryListing.js # Directory listing vuln
β β βββ sqlInjection.js # SQL injection testing
β β βββ csrf.js # CSRF token validation
β β βββ sslCipher.js # SSL cipher analysis
β β βββ dnsSecurity.js # DNS security checks
β β βββ brokenAuth.js # Broken authentication detection
β β βββ clickjacking.js # Clickjacking vulnerability test
β β βββ sessionManagement.js # Session management analysis
β β βββ fileUpload.js # File upload vulnerabilities
β β βββ rateLimiting.js # Rate limiting assessment
β βββ utils/
β βββ fetchPage.js # HTTP request utilities
β βββ reportGenerator.js # Report generation
β βββ aiSummary.js # AI analysis integration
β βββ aiChat.js # Interactive AI chat functionality
βββ reports/ # Default output directory
βββ package.json # Dependencies and scripts
βββ README.md # This file
The scanner is designed to be easily extensible. To add a new check:
- Create a new file in
src/checks/ - Export an async
check(url)function - Return a result object with relevant data
- Add the check to the
checksarray inscanner.js
Example:
// src/checks/newCheck.js
async function check(url) {
try {
// Your security check logic here
return {
status: 'passed',
details: 'Additional information',
};
} catch (error) {
throw new Error(`New check failed: ${error.message}`);
}
}
module.exports = { check };The scanner includes comprehensive error handling for:
- Invalid URLs
- Network timeouts (10-second timeout)
- Server errors (4xx/5xx responses)
- SSL/TLS connection issues
- File system errors
All errors are caught and reported in the results, ensuring the scanner completes all possible checks.
- Sequential Execution: Checks run one after another to avoid overwhelming target servers
- Timeouts: 5-10 second timeouts prevent hanging
- Lightweight: Minimal dependencies, fast startup
- Memory Efficient: Processes one check at a time
- Ethical Use: Only scan websites you own or have permission to test
- Rate Limiting: Built-in delays prevent overwhelming servers
- No Data Storage: Results are only saved locally
- Safe Testing: XSS and redirect tests use harmless payloads
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch
- Add tests for new functionality
- Ensure all checks pass
- Submit a pull request
npm install
npm test # Run tests (if implemented)
npm run lint # Check code styleMIT License - see LICENSE file for details.
- Built with Node.js
- Uses Inquirer.js for CLI prompts
- PDF generation with PDFKit
- HTTP requests with Axios
If you encounter issues or have questions:
- Check the Issues page
- Create a new issue with detailed information
- Include your Node.js version and OS
Happy Scanning! π Keep your websites secure and your users safe with SentinelScan. c:\Users\Panka\Desktop\web-security\README.md