TSscrutinizer
Air-Gapped SAST for the TypeScript Ecosystem
Find & Fix TypeScript Vulnerabilities, Offline
TSscrutinizer is an air-gapped VS Code extension that runs multiple open-source SAST scanners on your TypeScript & Angular source, correlates every finding into one prioritized dashboard, and uses a local LLM to assess reachability and propose reviewed fixes. No code ever leaves your machine.
Built for the Entire TypeScript Ecosystem
TSscrutinizer is a TypeScript-native security tool. It analyzes the code behind your Angular and React + Next.js front ends, your Node.js and NestJS backend services, your Electron desktop apps, and your AWS CDK infrastructure.
TypeScript
Angular
React
Next.js
Node.js
NestJS
Electron
AWS CDKOne Pane of Glass for Code Security
TSscrutinizer normalizes every scanner’s output into a single model and a single prioritized table, so there is no juggling five separate tools or report formats.
Multi-Scanner SAST
Runs up to eight open-source static analyzers over your source code, then de-duplicates and merges their findings, attributing each to its most reliable source.
- Built-in plus AST analyzers (no install)
- Semgrep, ESLint, CodeQL
- Bearer, njsscan, Gitleaks
Local LLM VEX Analysis
A loopback-only local model assesses VEX-style reachability and impact (affected, not affected, or under investigation) with justifications, and falls back to a deterministic heuristic engine when offline.
- LM Studio or Ollama, loopback only
- Air-gapped secure-coding knowledge corpus
- False-positive suppression
Reviewed Fixes & Audit Trail
Fixes are never auto-applied. Review a before and after diff with the consulted reference, approve at a chosen scope, and every change is documented with an inline audit comment and an append-only log.
- Per-occurrence or batch apply
- Named inspector on every fix
- .tsscrutinizer/audit-log.jsonl
How TSscrutinizer Works
A single, repeatable pipeline turns raw scanner output into a prioritized, actionable dashboard, entirely on your machine.
Scan
Multiple SAST tools run over your TS and Angular source.
Normalize
Every result is mapped to one SARIF-based model.
Correlate
Findings are de-duplicated across scanners.
VEX
Local LLM or heuristic rates reachability & impact.
Prioritize
Severity × reachability × CVE weight ranks the dashboard.
Inside the Extension
TSscrutinizer lives in the editor your team already uses, with a combined dashboard for triage and inline diagnostics right on the offending line.
See TSscrutinizer in Action
This sample scan runs against a realistic, intentionally vulnerable Angular app to show how findings are correlated, assessed for reachability, and prioritized in a clear, actionable report.
Vulnerable Angular App Demo Scan
The demo scans an “ACME portal” Angular app with planted vulnerabilities such as XSS, eval, hardcoded secrets, weak crypto, insecure HTTP, and open redirect, using all scanners with zero external tools and zero network access.
You can explore the full interactive report here.
- Findings from up to 8 SAST scanners, merged
- VEX reachability with plain-language justifications
- Smart prioritization floats critical reachable issues to the top
- False positives correctly marked not affected
Click the report to open the full interactive version.
The demo application is intentionally vulnerable and is used here only to demonstrate TSscrutinizer’s detection, reachability, and reporting capabilities.
Why Choose TSscrutinizer?
Built for security teams and inspectors who need deep code analysis in the most restricted, sensitive environments, without sending a single line of code to the cloud.
Air-Gapped by Design
A single network choke point blocks everything except loopback, so your code and findings stay on your machine
No Cloud, No Telemetry
VEX reasoning and fix suggestions run on a local LLM, perfect for classified and regulated environments
Less Tool Fatigue
Eight scanners, one normalized model, one prioritized dashboard, instead of five separate reports to reconcile
Inspector-Safe Fixes
Nothing is auto-applied. A human approves every reviewed diff, with scope confirmation and a durable audit log
Signed Offline Updates
Updates arrive only as ed25519-signed bundles from disk or a sanitization server, with anti-rollback protection
Smart Prioritization
Severity, reachability, and CVE weight combine so the issues that actually matter rise to the top of the list
Built for Restricted Environments
From medical devices to defense, TSscrutinizer delivers deep code analysis where cloud-based scanners simply cannot go.
Healthcare & Medical Devices
Run rigorous static code analysis on device software and keep a documented, inspector-approved fix trail for regulatory review, all without internet access.
- Documented fix audit trail
- Offline, air-gapped operation
- Deep static code analysis
Banking & Financial Services
Analyze TypeScript and Angular front ends inside secure, air-gapped banking infrastructure where data privacy and zero cloud dependency are non-negotiable.
- Air-gap deployment
- On-premises analysis
- No code leaves the network
Defense & Government
Operate in classified environments with complete code-level visibility. Signed offline update bundles keep the toolchain current without ever connecting to the internet.
- Zero internet dependency
- Signed, verified updates
- Classified system ready
Enterprise Angular Teams
Consolidate Semgrep, ESLint, CodeQL and more into one prioritized dashboard inside the editor your developers already use, with reachability triage built in.
- VS Code-native workflow
- Consolidated multi-scanner results
- Reachability-based triage