Open Source · Free Forever · No API Key Required

Shine a light on your
code's vulnerabilities

ALNUR is an open-source end-to-end security scanner. Point it at any project and get a full report — CVEs, secrets, architecture flaws, and port risks in seconds.

View on GitHub Quick Install →
18
Project Types
30+
SAST Rules
15+
Lockfile Formats
0
API Keys Needed
See it in action
One command. Full picture.

Run ALNUR against any directory and get a complete security report in seconds.

terminal
$ alnur scan ./my-django-app

ALNUR — Open-Source Vulnerability Scanner v1.0.0

──────────────────── Scan Summary ────────────────────
Target ./my-django-app
Project Django
Packages 42 dependencies scanned
Duration 3.21s

┌─────────────────────────┬──────────┬──────┬────────┬─────┐
│ Category │ Critical │ High │ Medium │ Low │
├─────────────────────────┼──────────┼──────┼────────┼─────┤
│ CVE Vulnerabilities │ 3 5 8 │ 2 │
│ Secret Leaks │ 1 0 │ 0 │ 0 │
│ Architecture Issues │ 0 │ 2 │ 3 │ 1 │
│ Port Risks │ 1 0 │ 0 │ 0 │
│ Standards (9/15 passed) │ — │ — │ — │ — │
└─────────────────────────┴──────────┴──────┴────────┴─────┘

Risk Score: 420/1000 │ Grade: DHIGH RISK

──────────── Priority Actions ────────────
1. 3 CRITICAL CVEs — patch immediately
2. 1 critical secret leak — rotate credentials now
What ALNUR scans
Every angle, covered.

Five independent scanners work in parallel to give you a complete security picture.

🔍

CVE Vulnerability Scanner

Extracts all dependencies and queries the OSV.dev database for known CVEs. No API key needed. Returns severity, CVSS score, and fix version.

OSV.dev CVSS scoring fix versions batch API
🔑

Secret Detection

Finds hardcoded AWS keys, GitHub tokens, Stripe keys, JWTs, database URLs, and more using 18 named patterns plus Shannon entropy analysis.

AWS / GCP GitHub tokens Stripe keys entropy analysis
🏗️

Architecture Analysis

30+ static analysis rules detect SQL injection, command injection, weak crypto, insecure deserialization, Django/Flask/Node misconfigurations, and more.

CWE-89 CWE-78 CWE-502 CWE-295

Standards Compliance

15 checks for software engineering best practices — .gitignore hygiene, dependency pinning, test suites, CI/CD configuration, and Docker security.

.gitignore lockfiles CI/CD Docker
🌐

Port Risk Analysis

Scans Dockerfiles, docker-compose, .env files, and config files for dangerous port exposures — Redis, MongoDB, MySQL, Elasticsearch, and 25 more.

Dockerfile docker-compose 0.0.0.0 bindings
📊

Risk Scoring & Grading

Every scan produces a 0–1000 risk score and A–F grade. Exits with code 1 on critical/high findings for seamless CI/CD pipeline integration.

risk score A–F grade CI/CD exit codes
How it works
Three steps to full visibility
1

Point at a directory

Pass any project path. ALNUR auto-detects the project type and finds all dependency files.

2

Five scanners run

CVE, secrets, architecture, standards, and port analyzers run in sequence on your codebase.

3

Get your report

Console, JSON, or HTML — pick your format. Every finding includes a severity and fix recommendation.

Supported stacks
Works with your project, out of the box.
Node.js
React
Vue.js
Next.js
Python
Django
Flask
FastAPI
Laravel
PHP
Ruby on Rails
Go
Rust
Java / Spring
.NET
Spring Boot
Get started
Install in seconds

No account. No API key. Just install and scan.

pip
source
# Install
pip install alnur

# Scan your project
alnur scan .

# Generate HTML report
alnur scan . -o html -f report.html
Output formats
Your report, your way.
🖥️

Console

Color-coded Rich terminal output with severity tables, recommendations, and risk grade.

--output console
📄

JSON

Structured machine-readable report. Perfect for CI/CD pipelines, dashboards, and tooling.

--output json
🌐

HTML

Self-contained dark-theme security dashboard. No external dependencies — share as a single file.

--output html

Start scanning today.

Free, open-source, and takes 30 seconds to set up. No signup required.

View on GitHub Quick Install →