Top 21 JavaScript Audit Projects

Audit

• Add a project

1. lighthouse ci action

   1 182 30,320 9.2 JavaScript

   Automated auditing, performance metrics, and best practices for the web.

   

   Project mention: Preact vs Astro 4: The Performance Battle benchmark in High-Scale | dev.to | 2026-05-07

   High-scale performance gains are only valid if you test with realistic workloads that match your production traffic. Too many teams benchmark with 10 components on a fast WiFi network, then wonder why their app crashes under 1M DAU. Use the benchmark script we provided earlier to test with 10k+ components, throttled networks (3G, 4G, slow WiFi), and realistic concurrency (100+ req/s). Test both client-side and server-side metrics: TTI, FCP, LCP for client metrics; p99 latency, requests per second, memory usage for server metrics. For Astro apps, benchmark both SSG and SSR modes: SSG will always be faster for static content, but SSR is necessary for personalized content (e.g., logged-in user dashboards). Use Lighthouse CI to automate performance regression testing in your CI pipeline: set thresholds for LCP (<2.5s), FCP (<1.8s), and TTI (<3.8s) and fail builds that exceed them. In our case study, the e-commerce team caught a 400ms TTI regression before deploying by adding Lighthouse CI to their GitHub Actions pipeline, saving hours of debugging post-deployment. For cost benchmarking, use the AWS Pricing Calculator or Vercel’s cost estimator to project server costs for your traffic levels, as Astro’s lower resource usage can lead to significant savings at scale.

2. SaaSHub

   www.saashub.com featured

   SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

   

3. pwndoc

   2 11 2,824 8.7 JavaScript

   Pentest Report Generator

   

4. sandworm-audit

   3 6 476 3.6 JavaScript

   Security & License Compliance For Your App's Dependencies 🪱

   

5. sandworm-guard-js

   4 9 253 0.0 JavaScript

   Easy auditing & sandboxing for your JavaScript dependencies 🪱

   

6. evaluatory

   5 2 98 4.9 JavaScript

   Web page evaluation with a focus on accessibility

   

7. DomainAccessibilityAudit

   6 1 50 1.2 JavaScript

   Web application to create domain and subdomain accessibility audits, with violation statistics.

   

8. sandworm-jest

   7 6 17 10.0 JavaScript

   Security Snapshot Testing Inside Your Jest Test Suite 🪱

   

9. nerviq

   8 1 6 9.5 JavaScript

   The intelligent governance layer for AI coding agents — audit, align, and govern 8 platforms across every project.

   

   Project mention: Your AI coding agent scores 10/100. Here's what it's missing. | dev.to | 2026-04-06

   GitHub: github.com/nerviq/nerviq npm: npmjs.com/package/@nerviq/cli Website: nerviq.net

10. sandworm-mocha

    9 1 5 0.0 JavaScript

    Security Snapshot Testing Inside Your Mocha Test Suite 🪱

    

11. object-state-history

    10 2 3 7.2 JavaScript

    The ObjectStateHistory is a JavaScript implementation that allows you to keep track of changes in an object over time, creating a history of the modifications.

    

12. orwell

    11 1 3 9.1 JavaScript

    Orwell is an open-source, local-first platform for systematically auditing and evaluating Large Language Models (LLMs) for bias, safety violations, and behavioural blind spots — before they reach production.

    

    Project mention: Show HN: Orwell – open-source framework to audit any LLM for behavioral bias | news.ycombinator.com | 2026-03-23

    political lean, gives different advice to different demographic groups?

    Almost nobody tests for that systematically. You either catch it by accident or not at all.

    So I started building something. It's called Orwell — an open-source, no-code framework to audit any LLM for behavioral bias. You define what "balanced" means for your domain, it probes the model, scores every response with an independent judge, and produces a structured report with flagged failures and remediation steps. can be run entirely locally.

    Github: https://github.com/whereAGI/orwell

    I want to be upfront: this is early, and I don't know if I'm solving this the right way. The problem feels too important — and too nuanced — for one person to get right alone.

    A few things that might be interesting to poke at:

13. map1

    12 1 2 6.9 JavaScript

    Deterministic identity for structured data

    

    Project mention: Show HN: Map v1.0 – Deterministic identity for structured data | news.ycombinator.com | 2026-02-24

14. nhost-security-skill

    13 1 1 - JavaScript

    Open-source Hasura/Nhost security auditor: detects anonymous role with open SELECT, user role missing row filter, public introspection. Active anonymous GraphQL probe confirms each leak.

    

    Project mention: I shipped 5 BaaS security auditors in one day — keyless `npx --discover` mode for Supabase, PocketBase, Appwrite, Firebase, and Nhost | dev.to | 2026-05-11

    nhost-security: github · npm

15. google-drive-audit-permissions

    14 1 1 4.1 JavaScript

    Apps Script to audit who has access to all shared files on Google Drive . List down all the files permission.

    

    Project mention: Auditing All Shared Files in Google Drive with Apps Script | dev.to | 2025-11-01

    You can check the full source code on my github. I also posted this on my blog

16. firebase-security-skill

    15 1 1 - JavaScript

    Open-source Firebase Firestore Rules auditor: detects 'match /{document=**} if true', expired test-mode rules, auth-without-ownership. Active probe sends anonymous GET to confirm leaks.

    

    Project mention: I shipped 5 BaaS security auditors in one day — keyless `npx --discover` mode for Supabase, PocketBase, Appwrite, Firebase, and Nhost | dev.to | 2026-05-11

    firebase-security: github · npm

17. pocketbase-security-skill

    16 1 1 - JavaScript

    Open-source PocketBase security auditor: detects empty rules, the @request.auth.id != trap, true literals. Active probe confirms leaks live.

    

    Project mention: I shipped 5 BaaS security auditors in one day — keyless `npx --discover` mode for Supabase, PocketBase, Appwrite, Firebase, and Nhost | dev.to | 2026-05-11

    pocketbase-security: github · npm

18. supabase-security-skill

    17 4 0 - JavaScript

    Audit and harden any Supabase project. Local-only Node.js, no SaaS, no deps. Detects RLS leaks, exposed SECURITY DEFINER functions, public buckets. Generates fix SQL.

    

    Project mention: I shipped a public Apify actor that scans Supabase projects for RLS leaks (took 90 min, found a 895-record leak on the first real test run) | dev.to | 2026-05-12

    Open-source repo + docs: github.com/Perufitlife/supabase-security-skill.

19. a2a-trust-audit

    18 1 0 - JavaScript

    Audit A2A agent cards across L1-L4 trust dimensions. Score your agent card. AgentLair is the L4 reference implementation.

    

    Project mention: I audited 18 A2A agent cards. 17 graded F. Mine was the 18th. | dev.to | 2026-05-09

    The weights are public, the checks are public, the source is on GitHub, and the package is on npm. We wrote it. We benefit from publishing the leaderboard. Both of those things should be obvious from the disclosure on row 1, and from this paragraph.

20. appwrite-security-skill

    19 1 0 - JavaScript

    Open-source Appwrite security auditor: detects 'any' role grants, document security misconfig, over-permissive collection permissions. Active probe confirms each leak.

    

    Project mention: I shipped 5 BaaS security auditors in one day — keyless `npx --discover` mode for Supabase, PocketBase, Appwrite, Firebase, and Nhost | dev.to | 2026-05-11

    appwrite-security: github · npm

21. CloakLLM-JS

    20 1 0 6.8 JavaScript

    Node.js SDK — PII cloaking middleware for LLM calls (OpenAI + Vercel AI SDK)

    

    Project mention: Every LLM Prompt You Send Is Plaintext. Here's How to Fix That Before the EU Makes You. | dev.to | 2026-03-02

    → GitHub: github.com/cloakllm/CloakLLM → Python SDK: github.com/cloakllm/CloakLLM-PY | pip install cloakllm → Node.js SDK: github.com/cloakllm/CloakLLM-JS | npm install cloakllm → MCP Server: github.com/cloakllm/cloakllm-mcp

22. wcag-audit

    21 1 0 4.4 JavaScript

    WCAG accessibility audit CLI — scan websites for Section 508 and WCAG 2.1/2.2 compliance violations

    

    Project mention: I Built a Free WCAG Accessibility Audit CLI for Government Teams | dev.to | 2026-03-28

    GitHub: https://github.com/vijaygovindaraja/wcag-audit

JavaScript Audit related posts

• I shipped a public Apify actor that scans Supabase projects for RLS leaks (took 90 min, found a 895-record leak on the first real test run)

  1 project | dev.to | 12 May 2026

• I shipped 5 BaaS security auditors in one day — keyless `npx --discover` mode for Supabase, PocketBase, Appwrite, Firebase, and Nhost

  5 projects | dev.to | 11 May 2026

• Show HN: I audited my own back ends on 5 BaaS – leak in every one

  1 project | news.ycombinator.com | 9 May 2026

• Preact vs Astro 4: The Performance Battle benchmark in High-Scale

  5 projects | dev.to | 7 May 2026

• Frontend Performance Patterns to speed up your Web App

  2 projects | dev.to | 4 May 2026

• Your accessibility score is lying to you

  2 projects | dev.to | 7 Apr 2026

• Adding SEO Checks to CI/CD Without Slowing Down Your Pipeline

  1 project | dev.to | 29 Mar 2026
• A note from our sponsor - SaaSHub
  www.saashub.com | 7 Jun 2026

  SaaSHub helps you find the best software and product alternatives Learn more →

Index

Sponsored

SaaSHub - Software Alternatives and Reviews

SaaSHub helps you find the best software and product alternatives

www.saashub.com

Do not miss the trending JavaScript projects with our weekly report!