190+ rules. One tool.
Zero blind spots.

Milens scans your codebase for secrets, injections, hidden unicode, dangerous patterns, and more — all in a single security_scan() call. OWASP Top 10 mapped.

Run security_scan View all 50 rules
190+ Built-in Rules
10 OWASP Categories
9 Risk Surfaces
Offline CVE Database
One Command

Scan everything. See everything.

A single command replaces multiple manual greps and hours of code review. Every finding includes the exact line and a fix suggestion.

terminal ~ security scan
$ milens security scan --scope all --severity HIGH

Scanning 1,240 files with 50 active rules...

CRITICAL SEC-001 src/config.ts:15password = 'admin123'
↳ Fix: Move to environment variable: process.env.DB_PASSWORD
↳ OWASP: A02:2021 Cryptographic Failures

HIGH SEC-011 src/routes/admin.ts:42eval(userInput)
↳ Fix: Replace eval() with a safe parser
↳ OWASP: A03:2021 Injection

HIGH SEC-005 src/payment.ts:8sk_live_51H9x...
↳ Fix: Use environment variable: process.env.STRIPE_KEY
↳ OWASP: A02:2021 Cryptographic Failures

PASS — No zero-width characters detected
PASS — No bidi override attacks detected
PASS — All dependencies up to date

Security Score: 78/100report saved
Risk Surface Coverage

What Milens catches.

Nine risk surfaces, 190+ rules. Every scan runs them all — no configuration required.

🔑 10 rules

Secrets

AWS keys, GitHub tokens, OpenAI API keys, private keys, hardcoded passwords, Stripe keys, Slack webhooks, JWT secrets, database credentials, certificate files

💉 9 rules

Injection

SQL injection, XSS, command injection, eval(), exec(), dangerouslySetInnerHTML, document.write(), innerHTML assignment, template injection

👻 4 rules

Hidden Unicode

Zero-width characters, bidi override attacks (U+202E), homoglyph attacks, invisible character injection in identifiers and strings

⚠️ 7 rules

Dangerous

os.system(), subprocess with shell=True, unsafe deserialization (pickle, yaml.load), spawn shell, arbitrary code execution, disable security warnings

⚙️ 5 rules

Config

CORS wildcards, insecure cookies (no HttpOnly/Secure), debug mode enabled in production, --skip-permissions, exposed .env files

📤 5 rules

Data Leak

console.log with secrets, hardcoded URLs with credentials, debug output in production, stack traces exposed, sensitive data in error messages

🔐 4 rules

Crypto

MD5 hashing, SHA1 hashing, Math.random() for cryptographic purposes, hardcoded salt, weak key generation, ECB mode encryption

👤 4 rules

Auth

String comparison for tokens, missing auth middleware, JWT with no expiry, hardcoded session secrets, weak password validation

📁 2 rules

File Access

Path traversal (../ attacks), unsafe file reads (fs.readFile with user input), directory listing enabled, ZIP slip vulnerability

Dependencies

Your dependencies have CVEs. Find them.

Also checks your dependencies against 34 known CVEs across all major ecosystems. Offline, fast, built-in.

terminal ~ dependency audit
$ milens security deps

Auditing 247 dependencies across 5 ecosystems...

HIGH lodash 4.17.21CVE-2021-23337 (Prototype Pollution)
Fix: Upgrade to lodash@4.17.22+

HIGH requests 2.27.1CVE-2023-32681 (Proxy-Authorization leak)
Fix: Upgrade to requests@2.32.0+

CRIT openssl 1.1.1tCVE-2024-0727 (Denial of Service)
Fix: Upgrade to openssl@1.1.1u+

PASS — 244 dependencies clean
Found 3 vulnerabilities across 247 packages
📦 npm 12 CVE checks
🐍 Python 8 CVE checks
🦀 Rust 5 CVE checks
🔷 Go 5 CVE checks
Java 4 CVE checks
Compliance

OWASP Top 10 mapped.

Milens rules cover common vulnerability categories mapped to OWASP Top 10. Pass your audit with a single command.

OWASP Category Rules
A01 Broken Access Control SEC-045 to SEC-048
A02 Cryptographic Failures SEC-001 to SEC-010 & SEC-041 to SEC-044
A03 Injection SEC-011 to SEC-019
A05 Security Misconfiguration SEC-031 to SEC-035
A07 Identification & Authentication Failures SEC-045 to SEC-048
A08 Software & Data Integrity Failures SEC-028, SEC-029
A09 Security Logging & Monitoring Failures SEC-036 to SEC-040
Pricing

Free security. Pro power.

The core security scanner is free forever. Pro adds automation, custom rules, and CI integration.

Feature Free Pro
50 built-in rules
OWASP Top 10 mapping
CLI security scan
MCP security_scan tool
Dependency audit (offline)
Custom security rules
GitHub App PR scanning
Scheduled auto-scan
Security annotations → auto-promote
Priority fixes