Developer-First Supply Chain Security, Security Hygiene, and Secrets Management CLI
Dependency Intelligence • Security Auditing • Secret Detection • Git Security • Learning Mode • Encrypted Vault
Toolip is a TypeScript-powered developer security companion designed to help developers build safer software.
Modern development relies heavily on third-party packages, environment variables, cloud credentials, CI/CD pipelines, and Git workflows. While security tooling often targets enterprise security teams, developers are frequently left with tools that identify problems without explaining them.
Toolip takes a different approach.
Instead of simply reporting findings, Toolip focuses on education, remediation guidance, and practical developer workflows.
Toolip combines:
- Supply Chain Security
- Dependency Intelligence
- Developer Security Auditing
- Secret Detection
- Git Security
- Security Scorecards
- Encrypted Local Secret Storage
- Security Learning Resources
Everything runs locally.
No accounts.
No dashboards.
No SaaS.
No subscriptions.
Most tools stop at:
Security issue found.
Toolip goes further:
- What is wrong?
- Why does it matter?
- How risky is it?
- How do you fix it?
- What alternatives exist?
- How can you prevent it in future?
The goal is to help developers understand security while improving security posture.
npm install -g toolipVerify installation:
toolip --versionAnalyze a project:
toolip profile
toolip scan
toolip doctor
toolip scoreReview Git hygiene:
toolip git-audit
toolip pre-commitInspect packages:
toolip inspect express
toolip compare axios got
toolip alternatives requestManage secrets:
toolip vault init
toolip vault set DATABASE_URL
toolip vault get DATABASE_URLtoolip profileDetects technologies used within a project.
Examples:
- Node.js
- TypeScript
- Fastify
- Express
- React
- PostgreSQL
- MongoDB
- Redis
Provides technology-aware recommendations.
toolip scanAnalyzes project dependencies.
Detects:
- Deprecated packages
- Outdated packages
- High-risk packages
- Dependency bloat
- Supply chain concerns
Provides actionable recommendations.
toolip inspect expressDisplays:
- Latest version
- Maintainer information
- Deprecation status
- Package metadata
- Risk score
Useful when evaluating new dependencies.
toolip compare axios gotCompare multiple packages based on:
- Dependency count
- Risk indicators
- Maintenance activity
- General package health
Useful when choosing between alternatives.
toolip alternatives requestSuggests safer or more modern replacements for packages that are:
- Deprecated
- Legacy
- Poorly maintained
toolip treeProvides visibility into dependency structure.
Displays:
- Dependency hierarchy
- Dependency depth
- Transitive relationships
Useful when investigating package risk.
toolip licensesAnalyzes project licensing.
Provides:
- License inventory
- License distribution
- Restrictive license warnings
toolip doctorRuns a comprehensive project security audit.
Checks for:
Detects:
- GitHub tokens
- API keys
- JWT secrets
- AWS credentials
- Private keys
- Hardcoded passwords
Detects:
- eval()
- Function constructor usage
- Unsafe shell execution
- Dangerous runtime patterns
Checks for:
- Open CORS policies
- Insecure configuration patterns
- Weak environment practices
Identifies missing:
- Content-Security-Policy
- X-Frame-Options
- X-Content-Type-Options
- Strict-Transport-Security
toolip git-auditAnalyzes Git hygiene.
Checks for:
- Sensitive files
- Weak ignore rules
- Dangerous artifacts
- Common security mistakes
toolip pre-commitRuns blocking security checks before commits.
Detects:
- Secrets
- Credentials
- Security violations
- Dangerous files
Designed to stop mistakes before they reach Git history.
toolip hook installInstalls Toolip-powered Git hooks.
Allows security checks to run automatically before commits.
toolip scoreCalculates a security score based on:
- Dependency Health
- Secret Hygiene
- Configuration Security
- Git Safety
Example:
Dependency Health .... 91
Secret Hygiene ....... 84
Configuration ........ 88
Git Safety ........... 95
Overall Score ........ 89
Grade ................ A
One of Toolip's signature features.
toolip learn corsToolip teaches while it scans.
Available topics include:
- CORS
- JWT
- XSS
- CSRF
- Authentication
- Authorization
- Secrets Management
- Dependency Security
Each lesson includes:
- Explanation
- Risks
- Common mistakes
- Secure examples
- Best practices
Designed for developers learning secure software engineering.
Toolip includes a lightweight encrypted local secrets manager.
toolip vault initCreates an encrypted local vault.
toolip vault set DATABASE_URLStores secrets securely.
toolip vault get DATABASE_URLReturns decrypted values after authentication.
toolip vault listDisplays secret names without revealing values.
toolip vault delete DATABASE_URLRemoves stored secrets.
toolip vault export --env developmentSupports:
- development
- staging
- production
- AES-256 Encryption
- Password Protection
- Local Storage Only
- Offline Operation
No cloud storage.
No synchronization.
No accounts.
No remote services.
| Command | Description |
|---|---|
| toolip profile | Fingerprint project technologies |
| toolip scan | Analyze dependencies |
| toolip doctor | Perform security audit |
| toolip score | Generate security scorecard |
| toolip inspect | Inspect package metadata |
| toolip compare | Compare packages |
| toolip alternatives | Suggest replacements |
| toolip licenses | Analyze licenses |
| toolip tree | Analyze dependency hierarchy |
| toolip git-audit | Audit Git hygiene |
| toolip pre-commit | Run pre-commit security checks |
| toolip hook install | Install Git hooks |
| toolip learn | Security education mode |
| toolip vault | Encrypted local secrets management |
Toolip follows several guiding principles:
- Developer First
- CLI First
- Security Education
- Local Development Friendly
- CI/CD Friendly
- Framework Agnostic
- Actionable Guidance
- Secure by Default
Built with:
- TypeScript
- Node.js
- Commander.js
- Vitest
- Chalk
- Ora
- Zod
- npm Registry APIs
- Git Integration
- Node Crypto APIs
Toolip is useful for:
- Backend Engineers
- Platform Engineers
- DevOps Engineers
- Open Source Maintainers
- Startup Teams
- Full Stack Developers
- Students Learning Security
Toolip demonstrates experience with:
- TypeScript Engineering
- CLI Development
- Security Engineering Concepts
- Supply Chain Security
- Secret Management
- Static Analysis
- Git Integration
- Risk Scoring Systems
- Developer Experience Design
- Secure Development Workflows
Ashibuogwu Williams (wbizmo)
GitHub: https://github.com/wbizmo
MIT License