Open source · Free tier available

Security for
AI-era builders

Privacy-first scanning that runs locally. Plain-language findings with AI-generated fix prompts. Your code never leaves your machine.

Get Started FreeView on GitHub
ConfigSecretsHeadersSSLCORSDepsCodeAuthRate Limit
100/100
Security Score
Terminal — bastion scan
$ npx bastion-scan scan
 
Bastion Security Scanner v0.1.0
Scanning /home/user/notchwise-app...
Stack detected: Next.js + Supabase + Clerk
 
✓ .gitignore — sensitive patterns excluded
✓ No hardcoded secrets found
⚠ npm audit — 2 moderate vulnerabilities
✓ .env.example — safe placeholders
✕ Missing Content-Security-Policy header
✕ Missing Strict-Transport-Security header
✓ CORS — restrictive policy detected
✓ Rate limiting — express-rate-limit
✓ Auth provider — Clerk
 
Score: 78/100 ●●●●●●●●○○
9 passed · 2 failed · 1 warning
100% Open SourceZero Data Uploaded759 TestsMIT LicenseSelf-scan: 100/100

You ship fast.
But is your code secure?

AI tools help you build in hours, not months. But they routinely ship hardcoded secrets, missing headers, and injection vectors. Enterprise scanners cost £300+/mo. Nobody teaches the basics.

80%

of cyber incidents target web apps

Verizon DBIR 2024

43%

of attacks target small businesses

Accenture Cybersecurity Report

$4.88M

average cost of a data breach

IBM Cost of a Data Breach 2024

62%

cite cost as a barrier to security testing

Ponemon Institute 2023

40%

more vulnerabilities in AI-generated code

Stanford University 2023

197

days — average time to detect a breach

IBM Cost of a Data Breach 2024

Three steps to ship secure

No accounts. No configuration. No cloud dependency.

1

Install

One command. Nothing to configure. Works with any Node.js project.

npx bastion-scan scan
2

Scan

12 checks run in seconds — secrets, headers, SSL, CORS, dependencies, code patterns.

Score: 78/100
3

Fix

AI-generated prompts tailored to your exact stack. Paste into Claude or ChatGPT.

All checks passing

What we check

12 automated checks covering the most common security gaps in web applications.

bastion scan — configuration
Checking configuration...
✓ .gitignore — 14 patterns, sensitive files excluded
⚠ .env.example missing
Collaborators won't know which variables are required
Scanning for secrets...
✕ Hardcoded OpenAI API key detected
src/lib/openai.ts:8
const key = "sk-proj-aBcD..."
✓ No AWS credentials found
Checking security headers...
✕ Missing Content-Security-Policy
✕ Missing Strict-Transport-Security
✓ X-Frame-Options: DENY
✓ X-Content-Type-Options: nosniff
Checking transport security...
✓ SSL certificate valid — expires 2027-03-15
✓ TLS 1.3 supported
✓ HTTPS redirect active
Analyzing code patterns...
✕ SQL string concatenation detected
src/api/users.ts:23
db.query(`SELECT * FROM users WHERE id = ${id}`)
✓ No eval() usage found
Running npm audit...
⚠ vite@5.0.0 — Path Traversal (moderate)
CVE-2024-23331 · fix: upgrade to >=5.0.5
⚠ postcss@8.4.0 — Line Return Parsing (moderate)
✓ No critical vulnerabilities
Checking CORS policy...
✕ cors() called with no configuration
src/app.ts:12 — defaults to Access-Control-Allow-Origin: *
✕ Credentials exposed with wildcard origin
Checking rate limiting...
⚠ No rate limiting middleware detected
API routes at /api/* are unprotected
Recommend: express-rate-limit or @upstash/ratelimit
Checking authentication...
⚠ No authentication provider detected
No Clerk, Auth0, NextAuth, or Supabase Auth found
API routes may be publicly accessible

Configuration

Validates .gitignore patterns and .env file setup to prevent accidental secret exposure.

  • .gitignore coverage
  • .env.example validation
  • Sensitive file detection

Suggested fix

Create a .env.example file listing every required environment variable with placeholder values.

Real results

We scanned 3 real projects. Every one improved after following Bastion's recommendations.

NotchWise

38/10038/100

SaaS app — added security headers, fixed exposed .env, patched 3 dependency CVEs.

Lovable-Eject

0/1000/100

AI-generated codebase — removed hardcoded keys, added rate limiting and CORS policy.

Bastion

0/1000/100

Our own codebase — we eat our own cooking. Self-scan passes all 12 checks.

Simple, fair pricing

Start free. Upgrade when you need more.

Free

£0

For hobby projects and learning

  • 5 security checks
  • 1 scan per day
  • OWASP education
  • Security score
  • AI fix prompts
  • CI/CD integration
  • Compliance reports
Get Started Free
Most Popular

Pro

£4/mo

For indie builders shipping real products

  • All 12 checks
  • Unlimited scans
  • OWASP education
  • Security score & badge
  • AI fix prompts
  • GitHub Action
  • Compliance reports
Start Pro

Team

£15/mo

For small teams with compliance needs

  • All 12 checks
  • Unlimited scans
  • OWASP education
  • Security score & badge
  • AI fix prompts
  • GitHub Action
  • Compliance reports & CVE alerts
Start Team

Your code never leaves your machine

Inspect every line. The Bastion CLI is free, open source, and runs entirely on your machine. No telemetry. No uploads. No cloud dependency.

npm provenance759 testsMIT LicenseSelf-scan: 100/100
View on GitHub