finds.dev← search

// the find

lunasec-io/lunasec

★ 1,469 · TypeScript · NOASSERTION · updated May 2024

LunaSec - Dependency Security Scanner that automatically notifies you about vulnerabilities like Log4Shell or node-ipc in your Pull Requests and Builds. Protect yourself in 30 seconds with the LunaTrace GitHub App: https://github.com/marketplace/lunatrace-by-lunasec/

LunaSec is a monorepo of security tools — primarily LunaTrace (a Dependabot/Snyk alternative that catches CVEs in PRs via a GitHub App) and LunaDefend (a tokenization system for isolating sensitive data using iframes). The team gained real credibility by breaking the Log4Shell story. As of 2024, LunaDefend is explicitly marked unmaintained and the company has pivoted away from this product.

- LunaDefend's iframe-based tokenization is architecturally interesting — sensitive fields render inside a cross-origin iframe so the parent app never touches the raw data, which meaningfully reduces the blast radius of XSS

- LunaTrace added VEX (Vulnerability Exploitability eXchange) support for suppressing false positives — a real gap in most scanners that just throw every CVE at you regardless of reachability

- The Log4Shell CLI scanner is still genuinely useful for JAR scanning and identifying log4j in running JVM processes — it was built under fire during the actual incident and shows it

- The security blog has substantive technical posts (Log4Shell disclosure, node-ipc protestware analysis, EPSS scoring) — not the usual content-marketing fluff

- Effectively abandoned: last commit May 2024, the company renamed to LunaBrain and moved on — LunaDefend is explicitly marked unmaintained in the README, and the SaaS offering is likely dead or stale

- Self-hosting LunaTrace is a serious undertaking: it requires Hasura, multiple backend services, and a specific deployment topology — the README points you to the SaaS first for a reason

- In the CVE-scanning space, it's competing against GitHub Dependabot (free, built-in), Snyk (well-funded, broad language support), and OSV-Scanner (Google, actively maintained) — there's no compelling reason to choose LunaTrace for a new project today

- The monorepo mixes Go, TypeScript, Kubernetes configs, and Hasura migrations with no clean separation — understanding which pieces are load-bearing for a given feature requires archaeology

View on GitHub → Homepage ↗

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →