AI-powered security review for web developers. Find vulnerabilities, fix them in your code, verify the fixes — all in one session.
Zero security experience needed. Works with any AI coding agent: Claude Code, Codex, opencode, Cursor, Kimi, aider...
Based on the AIDA methodology.
From your project directory:
npx nicefox-secuOn first run, this builds the security toolkit (~1GB Docker image, takes ~2-3 min once).
Open your AI coding agent and paste:
Read ~/.nicefox/REVIEW.md and start the security review
The AI will:
- Auto-detect your framework, target URL, and environment (dev/prod)
- Ask you to confirm — one question instead of a setup wizard
- Review your app (recon, endpoint mapping, vulnerability testing)
- Fix each vulnerability directly in your source code
- Verify each fix by re-testing
- Print a summary of what was found and fixed
- Docker — https://docs.docker.com/get-docker/
- An AI coding agent — Claude Code, Codex, opencode, Cursor, Kimi, aider...
That's it.
$ cd ~/projects/my-express-api
$ npx nicefox-secu
NiceFox Secu
AI-powered security review for web developers
✓ Docker is running
✓ Security toolkit image ready
✓ Toolkit container running
✓ Prompt installed
Ready! Open your AI coding agent from your project directory and paste:
Read ~/.nicefox/REVIEW.md and start the security review
$ claude # or opencode, cursor, codex, aider...
> Read ~/.nicefox/REVIEW.md and start the security review
AI: Detected: Express.js project, target http://localhost:3000, dev mode.
Start the security review? (Y/n)
You: Y
AI: [scanning, testing, fixing...]
AI: Found VULN-001: SQL Injection in POST /api/search (CRITICAL)
Fixing src/routes/search.js — parameterized query...
Fix verified.
AI: Found VULN-002: Missing rate limiting on POST /api/login (MEDIUM)
Fixing src/routes/auth.js — adding express-rate-limit...
Fix verified.
AI: Assessment complete.
2 vulnerabilities found, 2 fixed, 0 require manual attention.Development (auto-detected when target is localhost):
- Aggressive scanning, all exploitation techniques allowed
- AI edits your source code directly to fix vulnerabilities
- Full tool suite
Production — pass the target URL as argument:
npx nicefox-secu https://example.com- Non-destructive tests only, rate limits respected, extra caution on risky tests
- If source code is available locally, AI reads it and applies fixes; otherwise documents recommended fixes only
- Asks for authorization confirmation before scanning
- Asks which paths/subdomains to exclude
The security toolkit Docker image ships with:
| Category | Tools |
|---|---|
| Recon | nmap, subfinder |
| Vuln scanning | nuclei |
| Web discovery | ffuf |
| Parameters | arjun |
| SQL injection | sqlmap |
| XSS | dalfox |
| API testing | httpie, curl |
| JWT | jwt_tool |
| Brute force | hydra |
| Wordlists | SecLists (Discovery, Fuzzing, Passwords) |
- Always test against a dev/staging environment first
- Never test production systems without explicit authorization
- Backup your code before running (or just use git — you do use git, right?)
- In prod mode, the AI applies fixes locally if source code is available, or documents them otherwise
docker rm -f nicefox-tools # Remove container
docker rmi nicefox-tools # Remove image
npx nicefox-secu # Rebuilds from scratchdocker exec nicefox-tools nmap --version # Test a tool manuallyIf tools can't reach your local app, the AI will automatically use host.docker.internal instead of localhost — this is handled in the prompt.
MIT — Use at your own risk. Only test systems you own or have explicit permission to test.
Based on AIDA (AI-Driven Security Assessment), simplified for web developers.