nullsec is a desktop-style security scanner built for the AI app generation cycle.
Modern teams can ship full web apps in hours with tools like ChatGPT, Claude, Cursor, Bolt, and Lovable. Speed improved. Security usually did not.
nullsec helps close that gap by finding high-impact issues early, before release.
nullsec is tuned for vulnerability patterns common in AI-generated web apps:
- skips critical security headers
- hardcodes API keys in frontend code
- leaves database files publicly accessible
- fails to sanitize user input (SQL injection)
- forgets to protect admin endpoints
- exposes
.envfiles and.gitdirectories
- desktop-grade workflow that feels like an analyst tool, not a raw scanner dump
- findings with severity, evidence, and remediation context
- fast repeat scans during fix/verify cycles
- useful for both security engineers and product developers
- focused offensive testing for vibe-coded applications
- a security findings workbench with a desktop investigator UX
- practical AppSec coverage for teams without a full-time security function
Prerequisites: Node.js
- Install dependencies:
npm install - Set the
GEMINI_API_KEYin.env.local - Run the app:
npm run dev
npm run build
The frontend can now run as a desktop app.
npm run desktop:devThis starts Vite and Electron together.
Backend should still be running separately on http://localhost:3000.
npm run desktop:build:dirThis generates an unpacked desktop build in:
desktop-dist/
For installer packages:
npm run desktop:build