Runs 100% on your machine — defensive use only

AI security code review that runs 100% locally

Pentester scans your codebase for hardcoded secrets, vulnerable dependencies, infrastructure misconfiguration, and OWASP Top 10 issues — entirely offline. Your code never leaves your computer.

Downloadable CLI · zero runtime dependencies · pure Node.js 18+ · it just runs.

See pricingHow it works
$ pentester analyze ./my-app --scope-ack --format allPentester: 14 finding(s) — 3 critical, 7 high, 3 medium, 1 low · posture F (26/100)

What it scans

129 deterministic rules across 9 packs, mapped to the OWASP Top 10 (2021) and CWE. Every finding has a real rule, a real file, and a real line number.

🔑

Hardcoded secrets

AWS/GCP keys, Stripe, GitHub/GitLab tokens, Slack, OpenAI, Anthropic, private keys, JWTs, and entropy-based generic secrets.

📦

Dependency risk

Matches your manifests and lockfiles against a bundled offline advisory snapshot. Optional --online OSV.dev lookups.

🏗️

IaC misconfiguration

Dockerfile, docker-compose, Kubernetes, and Terraform: open security groups, public buckets, privileged containers, wildcard IAM.

🛡️

OWASP Top 10 code flaws

SQL/command/path/code injection, XSS sinks, weak crypto, disabled TLS verification, insecure deserialization, broken auth & access control.

THE POINT

Your code never leaves your machine

Most code scanners upload your source to a server or SaaS to analyze it. Pentester does the opposite: detection is fully offline and on-host. With the defaults, it makes no network requests at all.

That means you can scan proprietary, regulated, or pre-release code without it touching anyone else's infrastructure. The two optional network features (a local Ollama model, OSV.dev dependency lookups) are off by default and clearly opt-in.

  • Offline by default — zero network calls unless you opt in
  • Read-only: never executes, exploits, or probes anything
  • Zero third-party runtime dependencies (pure Node built-ins)
  • A local, append-only audit log records run hashes — never your code or secrets
  • --no-snippets redacts matched code/secrets from reports you share
  • AI explanations run on a local model — prompts stay on your machine

A clear, shareable report

Run one command and get Markdown, JSON, and a self-contained HTML dashboard. Each finding includes severity, confidence, the CWE/OWASP mapping, the exact file and line, and a concrete fix.

Sample Pentester report showing critical and high-severity findings with file, line, CWE, and fix (placeholder — replace with a real screenshot)

Illustrative sample report (placeholder). Findings shown are representative of real rule output.

1

Acknowledge scope

Confirm you are authorized to review the target (a flag, a Rules-of-Engagement file, or an interactive prompt). Pentester refuses to run otherwise.

2

Scan offline

It walks your files, runs 129 deterministic rules, inventories dependencies, and checks IaC — all on your machine.

3

Read & fix

Get a graded report you can share, gate CI on (--fail-on high), and optionally have a local model explain.

Buy once. Own it.

Three tiers. Same offline engine. Pro and Team unlock every rule pack and commercial use.

Personal

For solo, non-commercial use — side projects and learning.

One-time · set in Lemon Squeezy
  • 1 user · personal / non-commercial license
  • Core rule packs: secrets, injection, weak crypto, hygiene
  • Secret detection (provider signatures + entropy)
  • Markdown, JSON, and self-contained HTML reports
  • CI exit-code gate (--fail-on)
  • Optional local Ollama explanations (--ai)
Get Personal
MOST POPULAR

Pro

For working developers. Everything, commercial use, one developer.

One-time · set in Lemon Squeezy
  • 1 developer · commercial use permitted
  • All 9 rule packs — 129 active rules
  • Adds: insecure deserialization, broken auth/session, access-control gaps, SSRF, web misconfig
  • IaC / container scanning: Dockerfile, docker-compose, Kubernetes, Terraform
  • Dependency advisory matching (bundled offline snapshot)
  • Optional --online OSV.dev dependency lookups
  • 1 year of updates
Get Pro

Team

For teams that need multiple seats and commercial coverage.

Multi-seat · set in Lemon Squeezy
  • Multi-seat (per the seat count you purchase) · commercial use
  • Everything in Pro for every seat
  • Same offline, on-host scanning — nothing is centralized off your machines
  • Shareable config + baseline files for consistent CI gating
  • 1 year of updates
  • Priority email support
Get Team

All sales final. License terms are in the included EULA. Pentester is a defensive static-analysis tool — use it only on code you are authorized to review.

Questions

Does my code ever leave my machine?

No. Detection is fully offline and runs against files on your own disk. The only optional network paths are a local Ollama model (--ai, off by default) and OSV.dev dependency lookups (--online, off by default). With both off — the default — Pentester makes no network requests at all.

Is this an attack tool?

No. Pentester is a defensive, authorized-testing tool. It performs read-only static analysis — it does not run your code, exploit anything, probe networks, or transmit data off-host. It refuses to produce a report until you acknowledge you are authorized to review the target, and it keeps a local audit line for each run.

What does the AI actually do?

With --ai, a local model (via Ollama) explains and triages findings the rules already produced. It cannot invent a vulnerability — every finding comes from a deterministic rule against real file content with a real line number. If no model is available, you still get the full deterministic report with built-in explanations.

What languages and files does it scan?

Injection, XSS, and language-specific rules cover JavaScript/TypeScript (plus JSX/TSX, Vue, Svelte) and Python. Secret and weak-crypto rules also run across Ruby, PHP, Java, Kotlin, Go, Rust, C#, Swift, Scala, and shell scripts. IaC scanning covers Dockerfile, docker-compose, Kubernetes manifests, and Terraform. Dependencies are read from common manifests and lockfiles.

How honest are the results?

Static analysis is heuristic: it can produce false positives and miss issues that need dynamic or manual review. The bundled dependency-advisory list is a dated, point-in-time snapshot, not a live feed — absence of a finding does not mean a dependency is safe. Pentester is a tool to help a qualified reviewer, not a certification. Always verify findings before acting.

What do I need to run it?

Node.js 18 or newer — nothing else. Pentester has zero third-party runtime dependencies (pure Node built-ins), so there is no install step beyond unzipping it and running the CLI. Ollama is only needed if you want local-AI explanations.

What is the refund policy?

All sales are final. The license terms are in the EULA included with the download. Because the first thing you do is run a read-only scan on your own code, you can confirm it works on your codebase immediately.

Review your code without giving it away

Download Pentester, run one command, and get an honest, line-accurate security report — all on your own machine.

See pricing
← Browse all Local AI tools
Free Tools & Calculators