tk-guard Free
Security scanner with 7 specialized modules: headers, CORS, SSL/TLS, XSS, SQL injection, information disclosure, and authentication endpoint analysis. Zero external dependencies.
bash
npm install -g @tk-tis/tk-guard
# or run directly
npx @tk-tis/tk-guard https://your-site.comUsage
bash
# Quick scan (headers, CORS, SSL only)
tk-guard https://myapp.com
# Deep scan (all 7 scanners)
tk-guard https://myapp.com --deep
# Run specific scanners only
tk-guard https://myapp.com --scanners headers,cors,ssl
# JSON output for CI/CD
tk-guard https://myapp.com --deep --json
# Disable colors for log files
tk-guard https://myapp.com --no-color
# Custom timeout (default: 10000ms)
tk-guard https://myapp.com --timeout 15000Options
| Flag | Description | Default |
|---|---|---|
--deep |
Run all 7 scanners (default runs only headers, CORS, SSL) | false |
--scanners <list> |
Comma-separated scanner IDs to run | Quick: headers,cors,ssl |
--json |
Output results as JSON | false |
--no-color |
Disable ANSI color codes | false |
--timeout <ms> |
Per-request timeout in milliseconds | 10000 |
--help, -h |
Show help message | — |
--version, -v |
Show version number | — |
Scanners
tk-guard includes 7 specialized security scanners. The first three run in quick mode (default). All seven run with --deep.
| ID | Name | Quick | Description |
|---|---|---|---|
headers |
Security Headers | Yes | Checks HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy |
cors |
CORS Configuration | Yes | Tests for wildcard origin, null origin acceptance, and credential reflection |
ssl |
SSL/TLS Check | Yes | Validates certificate validity, expiry date, protocol version, and HTTP to HTTPS redirect |
xss |
XSS Detection | No | Tests for reflected XSS via common URL parameters |
sqli |
SQL Injection | No | Error-based detection, time-based blind testing, auth bypass attempts |
info-leak |
Information Disclosure | No | Detects server header exposure, stack traces, file paths, and internal IPs |
auth |
Auth Endpoints | No | Tests empty body handling, SQLi on auth, oversized passwords, user enumeration, rate limiting |
Warning
The --deep flag runs active security tests (XSS, SQLi) that send test payloads to the target. Only scan applications you own or have permission to test.
Severity Levels
Each finding is classified by severity:
| Severity | Description | Examples |
|---|---|---|
| CRITICAL | Immediate exploitation risk | Reflected XSS, SQL injection auth bypass |
| HIGH | Serious misconfiguration | Missing HSTS, CORS wildcard with credentials, no rate limit on auth |
| MEDIUM | Moderate risk | Weak CSP, short HSTS max-age, user enumeration |
| LOW | Minor issue | Missing Referrer-Policy, server version exposed |
| INFO | Informational | Legacy X-XSS-Protection header present |
Risk Score and Grade
tk-guard calculates a risk score and assigns a letter grade:
Score formula: CRITICAL * 25 + HIGH * 10 + MEDIUM * 5 + LOW * 2 (capped at 100)
| Grade | Score Range |
|---|---|
| A | 0 – 14 |
| B | 15 – 29 |
| C | 30 – 49 |
| D | 50 – 74 |
| F | 75 – 100 |
Tip
A lower risk score is better. Grade A means no significant security findings. Aim for grade A or B in production.
JSON Output
json
{
"url": "https://myapp.com",
"findings": [
{
"severity": "HIGH",
"category": "headers",
"title": "Missing HSTS Header",
"description": "Strict-Transport-Security header is not set",
"evidence": null,
"remediation": "Add Strict-Transport-Security: max-age=31536000; includeSubDomains"
}
],
"summary": {
"critical": 0,
"high": 1,
"medium": 2,
"low": 3,
"info": 0,
"grade": "B",
"risk_score": 17
},
"scanners_run": ["headers", "cors", "ssl"],
"duration_ms": 2340
}Exit Codes
| Code | Meaning |
|---|---|
0 | No critical or high severity findings |
1 | Critical or high severity findings detected |
2 | Fatal error (scan could not complete) |
Programmatic Usage
javascript
import { guard } from '@tk-tis/tk-guard';
const result = await guard('https://myapp.com', { deep: true });
console.log(result.summary.grade); // "B"
console.log(result.summary.risk_score); // 17
console.log(result.findings.length); // 6
// Filter by severity
const critical = result.findings.filter(f => f.severity === 'CRITICAL');
const high = result.findings.filter(f => f.severity === 'HIGH');HTK-Cloud Integration
Set environment variables to automatically report results:
bash
export HTK_CLOUD_URL=https://htk-cloud-v4.enzu-agent.workers.dev/api/guard/report
export HTK_CLOUD_TOKEN=your-api-key
export HTK_PROJECT=my-project
tk-guard https://myapp.com --deep