Open Source Security Tool

Stop leaks.
Block attacks.
Ship safe.

Acrionix Shield™ is a zero-dependency CLI that scans your entire stack for vulnerabilities, leaked secrets, compromised packages, and insecure configurations. 9 scanners. 7 languages. One command.

Built in response to the Anthropic/Claude Code source leak and the axios supply chain attack of March 2026. Supports JavaScript, Python, Java, C#, Ruby, Go, Docker, and Git.

View on GitHub View on npm
$ npx acrionix-shield check
Acrionix Shield
Terminal — acrionix-shield check --ci

[1/9] Scanning for source leaks...
[2/9] Scanning npm dependencies...
[3/9] Scanning Python dependencies...
[4/9] Scanning Java/Maven/Gradle dependencies...
[5/9] Scanning .NET/C# dependencies...
[6/9] Scanning Ruby dependencies...
[7/9] Scanning Go modules...
[8/9] Scanning Docker configuration...
[9/9] Scanning git history for secrets...

━━━ SOURCE LEAK SCAN ━━━━━━━━━━━━━━━━━━

🚨 CRITICAL (2 findings)
├─ Source map file
File: dist/bundle.js.map
Fix: Remove before publishing or add to .npmignore
├─ Anthropic API key
File: src/config.js:14
Match: sk-ant-abc1***ef12
Fix: Remove and rotate this key immediately

━━━ NPM SUPPLY CHAIN ━━━━━━━━━━━━━━━━━

🚨 CRITICAL (1 finding)
├─ Compromised package — credential harvesting
Package: axios@1.14.1
Advisory: Malicious versions published March 31 2026
Fix: URGENT: Update axios immediately

━━━ JAVA / MAVEN / GRADLE ━━━━━━━━━━━━━━

🚨 CRITICAL (1 finding)
├─ Remote code execution via JNDI lookup injection
Package: org.apache.logging.log4j:log4j-core@2.14.1
Advisory: CVE-2021-44228 (Log4Shell)
Fix: URGENT: Update log4j-core to 2.21+

━━━ DOCKER SECURITY ━━━━━━━━━━━━━━━━━━

🔴 HIGH (1 finding)
├─ No non-root USER — container runs as root
File: Dockerfile
Fix: Add USER instruction with a non-root user

⚠️ Found 5 issue(s) across 4 ecosystems. Review before deploying.

$ _

9 scanners. Every major ecosystem.

Auto-detects your stack and runs only what's relevant.

🔍

Source Leak Scanner

Catches .map files, .env secrets, 30+ API key patterns (AWS, GitHub, OpenAI, Anthropic, Stripe, Slack), cloud storage URLs, and internal paths.

📦

JavaScript / npm

26+ compromised npm packages (axios, event-stream, ua-parser-js, coa, rc), typosquat detection, suspicious registries. Supports package-lock, yarn.lock, pnpm-lock.

🐍

Python / PyPI

Compromised PyPI packages (ctx, requessts, colourfool), typosquats of requests, django, numpy, flask. Scans requirements.txt, Pipfile.lock, poetry.lock.

Java / Maven / Gradle

Log4Shell (CVE-2021-44228), Spring4Shell, Struts2 RCE (Equifax breach), jackson-databind deserialization, fastjson. Scans pom.xml and build.gradle.

🔷

C# / .NET / NuGet

Newtonsoft.Json, log4net XXE, System.Net.Http credential leak, insecure NuGet sources. Scans .csproj, .fsproj, .vbproj, and packages.config.

💎

Ruby / RubyGems

Hijacked rest-client, bootstrap-sass backdoor, strong_password, typosquats of rails, devise, sidekiq. Scans Gemfile and Gemfile.lock.

🐹

Go Modules

Deprecated jwt-go, vulnerable x/net (HTTP/2 Rapid Reset), x/text, x/crypto, gogo/protobuf, local replace directives. Scans go.mod and go.sum.

🐳

Docker Security

Unpinned base images, running as root, privileged mode, exposed SSH/FTP, hardcoded secrets, .env copied into images, insecure curl/wget. Scans Dockerfile and docker-compose.

🔐

Git Secrets

30+ secret patterns in git history: AWS keys, GitHub tokens, Stripe keys, database connection strings, JWTs, Google API keys. Checks .gitignore coverage.

Zero Dependencies

Built with only Node.js built-ins. A security tool should not itself be vulnerable to supply chain attacks.

🔄

CI/CD Ready

One flag (--ci) to integrate into GitHub Actions, Jenkins, GitLab CI, or Azure DevOps. Fails the build on findings.

⚙️

Fully Configurable

Custom rules, ignore patterns, private advisory feeds, and severity thresholds via .shieldrc.json. Make it yours.

Simple, transparent pricing

Start free. Scale when you need to.

Open Source
Free
For individual developers and open source projects
  • All 9 scanners (JS, Python, Java, C#, Ruby, Go, Docker, Git, Leaks)
  • Source leak detection (30+ secret patterns)
  • Supply chain scanning (all ecosystems)
  • Typosquat detection
  • Docker security checks
  • Git history secret scanning
  • JSON output for automation
  • CI mode (--ci exit code 1)
  • Custom rules via .shieldrc.json
  • Community support (GitHub Issues)
npx acrionix-shield check
Pro
$29/mo per repo
For teams that need automation, monitoring, and alerts
  • Everything in Free, plus:
  • GitHub Action (auto-scan on PR)
  • PR comments with findings inline
  • Slack & email alerts on new vulnerabilities
  • Auto-updated advisory database (daily)
  • Severity trend dashboard
  • Scheduled scans (daily/weekly)
  • Team management (up to 10 seats)
  • Priority email support
  • 14-day free trial
Start Free Trial
Enterprise
$199/mo org-wide
For organizations that need compliance, control, and custom rules
  • Everything in Pro, plus:
  • Unlimited repos & seats
  • Custom rules engine (write your own checks)
  • Private advisory feed (internal packages)
  • SBOM generation (CycloneDX, SPDX)
  • Compliance reports (SOC2, ISO 27001)
  • License compliance scanning
  • SSO / SAML integration
  • Dedicated Slack channel
  • SLA with 4-hour response time
Contact Sales
Zero dependencies. 9 scanners. 7 languages. 56 tests. One command.
npx acrionix-shield check