skip to content
fizzgig
sign in
// product
code auditdetect what shippedbrand and reachsoonlift qualityperfect memorysoondecision graph
// build better
sourdough startersproject kicks-off in 1 prompt
// resources
pricingdocsblogabout
sign inrequest access →
audit suite/security/vuln_scanner
newsecurityv0.1.0free

fizzgig__vuln_scanner

known-cve lookup against osv.dev for npm packages. closes the gap dep-audit (structural) leaves open.

// ai does this over time

your lockfile was clean the day you wrote it. three weeks later, the AI suggests an old version because the model's training data is older than the advisory. nothing changes locally; the vulnerability landed anyway.

// the tool does

queries the OSV.dev advisory database (aggregating GitHub Security Advisories, npm advisories, CVE/NVD entries) for known vulns in your installed packages. Returns one finding per affected package with vulns[] inside, headline severity = worst across the package, upgrade_to = lowest fixed version — surface that as the headline remediation.

// so you can

deploy knowing none of your dependencies have an OSV advisory open. pairs with dep-audit (structural) and secret-leak-finder (your own credentials) — clean across all three = green to ship.

● new● v0.1.0● free
// input schema
schema · application/json
{
"type": "object"
"required": [
"project"
]
"properties": {
"project": {
"type": "string"
"description": "the project slug or path"
}
"strict": {
"type": "boolean"
"default": false
"description": "fail on warnings, not just errors"
}
}
}
// output schema
schema · application/json
{
"type": "object"
"properties": {
"ok": {
"type": "boolean"
}
"findings": {
"type": "array"
"items": {
"type": "object"
"properties": {
"severity": {
"enum": [
"info"
"warn"
"high"
"critical"
]
}
"message": {
"type": "string"
}
"fix": {
"type": "string"
}
}
}
}
}
}
// example call from cursor
~/myapp — example output
→ fizzgig__vuln_scanner(project="myapp")
{
"ok": false,
"findings": [
{ "severity": "high",
"message": "policy uses user_id without auth.uid()",
"fix": "USING (auth.uid() = user_id)" }
],
"scanned": 3, "duration_ms": 142
}
// reviews
@maya.codes★★★★★
2 days ago

caught a policy that would have leaked every user's comments. shipped a fix in 4 minutes.

@solo_at_3am★★★★★
1 week ago

first tool i installed. it's the one that pays for itself.

@vibebuilder★★★★☆
2 weeks ago

works great. one false positive on a join table — easy to ignore.

// primary action
add to your editor
paste this into your mcp config.
.cursor/mcp.json
{
  "fizzgig": {
    "url": "https://mcp.fizzgig.ai",
    "tools": ["vuln_scanner"]
  }
}
full setup guide →
// pricing
free
unlimited calls on the free tier.
// related tools
secret_leak_finder
v0.9.0
→
rls_checker
v0.6.0
→
env_auditor
v0.4.0
→
fizzgig

the fluffy guardian of vibe-coded apps. growls at insecure code so you don't have to.

all systems operational

product

code auditbrand and reach (soon)perfect memory (soon)pricingdocschangelog

community

sourdough startersdiscord (soon)github (soon)x / twitter (soon)rss (soon)

company

aboutcontactterms (soon)privacy
© 2026 fizzgig labs.
v1.4.2 · 2026-05-01