vlayer - HIPAA Compliance Scanner

Automated security scanning for healthcare applications. Detect PHI exposure, fix vulnerabilities, and generate audit-ready compliance reports.


---

What is vlayer?

vlayer is a CLI tool that scans your codebase for HIPAA compliance issues. It's designed for healthcare startups and developers building applications that handle Protected Health Information (PHI).

Key capabilities:
- Scan for 50+ security vulnerabilities and PHI exposure patterns
- AI Agent Skills scanner - First HIPAA-focused scanner for SKILL.md files (Claude Code, MCP, Cursor)
- AI-powered analysis with Claude API for complex violations and false positive reduction
- Auto-fix common issues with one command
- Generate professional audit reports (HTML, PDF, JSON)
- Detect your tech stack and provide tailored recommendations
- Create cryptographic audit trails for compliance documentation
- Professional suppression system with inline comments and justifications
- Baseline support to focus on new findings while tracking existing issues
- Confidence levels for progressive strictness adoption

---

Quick Start

``bash


Install

npm install
npm run build

Scan a project

node dist/cli.js scan /path/to/your/project

Generate HTML report

node dist/cli.js scan /path/to/project -f html -o report.html

Auto-fix issues

node dist/cli.js scan /path/to/project --fix

Check compliance score

node dist/cli.js score /path/to/project

Generate auditor-ready report

node dist/cli.js report /path/to/project -o audit-report.html

Scan AI Agent Skills (NEW!)

node dist/cli.js skill-scan ~/Downloads/patient-lookup.SKILL.md
`

---

🛡️ AI Agent Skills Security Scanner

vlayer is the first HIPAA-focused security scanner for AI Agent Skills.

Protect your healthcare environment from malicious skills before installation:

`bash


Scan before installing any skill

vlayer skill-scan ~/Downloads/patient-exporter.SKILL.md

Scan all skills in directory

vlayer skill-scan ~/.claw/skills/

CI/CD integration

vlayer skill-scan ./custom-skills/ || exit 1
`

$3

- 36.82% of AI Agent Skills have security flaws (Snyk, Feb 2026)
- 341 malicious skills distribute Atomic Stealer malware
- 283 skills expose credentials in plaintext
- Zero existing scanners have HIPAA-specific rules

$3

- ✅ PHI exposure (SSN, MRN, DOB in examples)
- ✅ Hardcoded credentials (API keys, passwords)
- ✅ Malicious patterns (reverse shells, data exfiltration)
- ✅ HIPAA violations (HTTP transmission, no audit logging)

$3

`
🚨 Critical: 7 | ⚠️ High: 14 | ⚡ Medium: 1

Issues:
PHI Exposure: 8
Credential Leaks: 1
Data Exfiltration: 1

❌ DO NOT INSTALL THIS SKILL
Critical HIPAA violations detected.
`

📖 Full Documentation

---

🌐 VLayer Ecosystem

Dashboard: https://app.vlayer.app - Compliance monitoring platform
Playground: https://play.vlayer.app - Try vlayer in your browser
Documentation: https://docs.vlayer.app - Complete guides and API reference
Landing Page: https://vlayer.app - Marketing site

Enterprise-grade HIPAA compliance monitoring platform for tracking violations, compliance scores, and generating audit reports.

$3

Professional Enterprise UI:
- 🎨 Dark Navy Theme - Professional color palette (#0A1628, #0F172A) with emerald/teal accents
- 📐 Fixed Sidebar Navigation - Icon-based menu with VLayer branding and system status
- 💎 Glassmorphism Effects - Gradient cards with subtle shadows and transparency
- 🎯 Circular Progress Gauges - Animated SVG gauges for compliance scores (0-100)
- 🏷️ Status Badges - Color-coded indicators (Compliant/At Risk/Critical)
- ⚡ Smooth Transitions - Hover effects and state changes with professional animations

$3

- 🔐 Supabase Authentication - Secure email/password authentication with session management
- 📊 Visual Compliance Dashboard - 4-metric overview with real-time scores and status distribution
- 📈 Historical Score Tracking - Interactive charts showing compliance trends over time
- 🗂️ Multi-Project Management - Monitor unlimited projects with inline progress indicators
- 🔍 Detailed Findings View - Filter by severity with comprehensive issue breakdowns
- 📋 Executive Summaries - Professional reports with grade assignments (A-F)
- 🎨 Enterprise Tables - Sortable project lists with circular scores and status badges
- 📱 Responsive Design - Optimized for desktop, tablet, and mobile devices
- 👤 User Management - User profiles with logout functionality in sidebar

$3

1. Create Account: Sign up at app.vlayer.app/signup with your email
2. Login: Access the dashboard at app.vlayer.app
3. Create Project: Click "+ New Project" and enter your project details
4. Run Scan: Execute a compliance scan on your codebase
`bash
node dist/cli.js scan ./src --format json --output scan.json
`
5. Upload Results: Send scan data to your project via API
`bash
curl -X POST https://app.vlayer.app/api/projects/{projectId}/scans \
-H "Content-Type: application/json" \
-d @scan.json
`

$3

The dashboard includes 4 demo projects with realistic compliance data:
- HealthCare Portal - 92/100 (Grade A - Excellent)
- Telemedicine API - 78/100 (Grade C - Fair)
- Insurance Claims System - 56/100 (Grade F - Critical)
- Mobile Health App - 95/100 (Grade A - Excellent)

$3

See dashboard/README.md for complete API documentation and deployment instructions.

---

🆕 Compliance Score & Dashboard

$3

VLayer calculates a compliance score based on findings weighted by severity and confidence:

`bash


Calculate compliance score

node dist/cli.js score ./src

Output as JSON

node dist/cli.js score ./src -f json
`

Scoring System:
- 🔴 Critical: -10 points each
- 🟠 High: -5 points each
- 🟡 Medium: -2 points each
- 🔵 Low: -1 point each
- ✅ Acknowledged findings: 25% penalty reduction

Grading:
- A (90-100): Excellent compliance posture
- B (80-89): Good compliance
- C (70-79): Fair compliance
- D (60-69): Poor compliance
- F (<60): Critical - requires immediate attention

$3

Generate professional compliance reports with SHA256 hash verification:

`bash


Basic auditor report

node dist/cli.js report ./src

Full-featured report

node dist/cli.js report ./src \
-o compliance-report.html \
--org "HealthTech Inc" \
--period "Q1 2024" \
--auditor "John Doe" \
--include-baseline
`

Report Features:
- 📊 Compliance score with visual gauge (green/yellow/red)
- 📈 Executive summary with key metrics
- 📋 Findings table with filtering by severity
- 🔒 Suppression and acknowledgment audit trails
- 📄 Baseline comparison (if enabled)
- 🔐 SHA256 hash for document integrity
- 🖨️ Print-friendly CSS for PDF export

---

🆕 IDE & Developer Experience

$3

Get real-time HIPAA compliance feedback directly in your editor:

`bash


Install from the vscode-extension directory


cd vscode-extension
npm install
npm run compile
`

Features:
- ✅ Real-time scanning on file save
- ✅ Inline diagnostics with severity markers
- ✅ Hover tooltips with HIPAA references and recommendations
- ✅ Quick-fix actions for auto-remediation
- ✅ Status bar compliance score
- ✅ Commands: "VLayer: Scan Current File", "VLayer: Scan Workspace"

Configuration:
`json
{
"vlayer.enableAutoScan": true,
"vlayer.minConfidence": "low",
"vlayer.showStatusBar": true,
"vlayer.configPath": ".vlayerrc.json"
}
`

$3

Continuous monitoring with real-time feedback:

`bash


Watch a directory for changes

node dist/cli.js watch ./src

Watch with specific categories

node dist/cli.js watch ./src --categories phi-exposure encryption

Watch with custom config

node dist/cli.js watch ./src --config .vlayerrc.json
`

Features:
- 🔍 Automatic scan on file save/create
- 🎨 Colored terminal output by severity
- 📊 Diff tracking (new findings vs. previous scan)
- 🚨 Alerts for new critical/high severity findings
- ⚡ Smart file filtering (excludes node_modules, dist, etc.)

---

Suppression & Baseline

$3

Suppress specific findings with inline comments (justification required):

`typescript
// vlayer-ignore phi-ssn-hardcoded -- Test data for unit tests
const testSSN = "123-45-6789";
`

$3

Generate a baseline to track existing findings without blocking progress:

`bash


Generate baseline from current state

node dist/cli.js baseline . -o .vlayer-baseline.json

Scan with baseline (only NEW findings cause failures)

node dist/cli.js scan . --baseline .vlayer-baseline.json
`

$3

Filter findings by confidence level for progressive adoption:

`bash


Only fail on high-confidence findings


node dist/cli.js scan . --min-confidence high
`

---

Features

$3

Scans for 50+ security patterns across 5 HIPAA compliance categories:

| Category | What it detects |
|----------|-----------------|
| PHI Exposure | SSN/MRN in code, PHI in logs, localStorage, URLs |
| Encryption | Weak crypto (MD5, DES), disabled SSL/TLS, HTTP URLs |
| Access Control | SQL injection, XSS, CORS wildcards, hardcoded credentials |
| Audit Logging | Missing logging framework, unlogged PHI operations |
| Data Retention | Bulk deletes without audit, missing retention policies |

View all detection patterns

PHI Exposure (18 patterns)
- Social Security Numbers (XXX-XX-XXXX)
- Medical Record Numbers (MRN patterns)
- Date of Birth handling
- Diagnosis codes (ICD-10)
- PHI in console.log statements
- PHI in localStorage/sessionStorage
- Patient data in URLs
- Unencrypted patient contact info

Security Vulnerabilities (20+ patterns)
- Hardcoded passwords and secrets
- API keys (generic, Stripe, AWS)
- Database URIs with credentials
- SQL injection (template literals & concatenation)
- innerHTML without sanitization
- eval() and Function constructor
- dangerouslySetInnerHTML in React

Infrastructure Issues
- HTTP URLs for PHI transmission
- Disabled SSL/TLS verification
- CORS wildcard origins
- Sessions without expiration
- Missing authentication checks

---

$3

Automatically remediate common vulnerabilities:

`bash
node dist/cli.js scan ./my-app --fix
`

| Issue | Auto-Fix Applied |
|-------|------------------|
| SQL injection | Convert to parameterized query query('SELECT * FROM users WHERE id = ?', [id]) |
| Hardcoded password | Replace with process.env.PASSWORD |
| Hardcoded API key | Replace with process.env.API_KEY |
| HTTP URL | Upgrade to HTTPS |
| innerHTML | Replace with textContent |
| PHI in console.log | Comment out with review marker |

Example output:
`
✔ Scan complete. Found 29 issues.
✔ Applied 8 automatic fixes.

Changes by file:
src/api/users.ts
Line 45: SQL injection → parameterized query
Line 89: Hardcoded password → process.env.DB_PASSWORD
src/utils/logger.ts
Line 12: PHI in console.log → commented out
`

---

$3

vlayer automatically detects your tech stack and provides personalized code examples:

`
Stack detected:
Framework: Next.js
Database: Supabase
Auth: Supabase Auth
`

Supported technologies:

| Type | Detected |
|------|----------|
| Frameworks | Next.js, React, Vue, Nuxt, Angular, Express, Fastify, NestJS |
| Databases | Supabase, Firebase, PostgreSQL, MySQL, MongoDB, Prisma, Drizzle |
| Auth | NextAuth, Supabase Auth, Firebase Auth, Auth0, Clerk, Passport |

Stack-specific recommendations include:

- Next.js + Supabase: Server Components for PHI, Row Level Security (RLS), middleware protection
- Express + PostgreSQL: express-session with Redis, parameterized queries
- React + Firebase: Firestore Security Rules, Admin SDK for PHI

---

$3

Each finding includes a detailed remediation guide with:

- HIPAA Impact: Why this matters for compliance
- Multiple fix options: Different approaches with trade-offs
- Code examples: Copy-paste ready solutions
- Documentation links: Official resources

The guides are personalized to your stack - if you're using Supabase, you'll see Supabase-specific code examples, not generic SQL.

---

$3

Generate compliance documentation with cryptographic verification:

`bash


Run scan with fixes (creates audit trail)

node dist/cli.js scan ./my-app --fix

Generate PDF report

node dist/cli.js audit ./my-app --generate-report --org "Healthcare Inc" --auditor "Jane Smith"
`

Audit trail includes:

| For Auto-Fixed Issues | For Manual Review Items |
|-----------------------|-------------------------|
| Code before & after | Status: "Pending human review" |
| SHA256 file hashes | Assigned responsible party |
| Timestamp of change | Suggested deadline by severity |
| HIPAA reference resolved | Full finding details |

PDF Report sections:
1. Cover Page - Project info, scan statistics
2. Executive Summary - Remediation rate, risk breakdown
3. Fix Evidence - Cryptographic proof of each change
4. Manual Reviews - Pending items with deadlines
5. Verification Page - Report hash, signature fields

---

$3

Reduce false positives and catch complex violations with Claude AI.

vlayer now includes optional AI-powered analysis using Anthropic's Claude API:

#### Features

- 🤖 LLM-Powered Rules: 6 specialized AI rules for detecting complex HIPAA violations
- 🎯 AI Triage: Automatically classify findings to reduce false positives by 50%+
- 🔒 PHI Scrubbing: All code is sanitized before sending to the LLM (HIPAA-safe)
- 💰 Cost Control: Budget limits, caching, and rate limiting built-in
- 📊 Confidence Scores: AI provides reasoning and confidence for each finding

#### Quick Start

`bash


Set your API key

export ANTHROPIC_API_KEY="sk-ant-..."

Run AI-powered scan (default: 50¢ budget)

node dist/cli.js ai-scan ./my-app

Adjust budget

node dist/cli.js ai-scan ./my-app --budget 100

Run LLM rules only (skip triage)

node dist/cli.js ai-scan ./my-app --rules-only

Enable AI triage in regular scan

node dist/cli.js scan ./my-app # AI triage runs automatically if API key is set

Disable AI features

node dist/cli.js scan ./my-app --no-ai
`

#### AI Rules

The AI scanner includes 6 specialized rules:

| Rule ID | Name | Detects |
|---------|------|---------|
| HIPAA-PHI-003 | Minimum Necessary Access | APIs returning more PHI than needed (SELECT * violations) |
| HIPAA-SEC-001 | PHI Encryption | Unencrypted PHI in transit or at rest |
| HIPAA-ACCESS-001 | Role-Based Access Control | Missing auth checks, hardcoded roles, IDOR vulnerabilities |
| HIPAA-AUDIT-001 | Audit Logging | PHI operations without proper audit trails |
| HIPAA-RETENTION-001 | Data Retention | Improper deletion, missing retention policies |
| HIPAA-AUTH-001 | Session Management | Weak session configs, missing timeouts |

#### Configuration

Add AI settings to .vlayerrc.json:

`json
{
"ai": {
"enabled": true,
"enableTriage": true,
"enableLLMRules": true,
"filterFalsePositives": true,
"budgetCents": 50
}
}
`

#### Cost & Performance

- Typical scan: 5-20 API calls, $0.10-$0.50
- Caching: Results cached for 24 hours by file hash
- Rate limiting: Max 20 calls/minute, 50 calls/scan
- PHI protection: All sensitive data scrubbed before API call

Example output:
`
🤖 Starting AI-powered HIPAA scan...
🔒 Scrubbed 3 PHI patterns from src/api/patients.ts
📋 Running 6 LLM-powered rules...
✅ AI scan complete: 12 findings, 48¢

AI Scan Summary:
Files scanned: 8
AI findings: 12
AI calls made: 18
Cost: 48¢
Critical: 2
High: 5
`

---

Report Examples

$3

The HTML report includes:
- Summary cards with severity counts
- Stack detection section with tailored recommendations
- Each finding with code context and line highlighting
- Expandable remediation guides with code examples
- Auto-fixable badge on issues that can be fixed automatically

$3

Machine-readable format for CI/CD integration:

`json
{
"summary": {
"total": 29,
"critical": 8,
"high": 12,
"medium": 6,
"low": 3
},
"stack": {
"framework": "nextjs",
"database": "supabase",
"auth": "supabase-auth"
},
"findings": [...]
}
`

---

Configuration

Create .vlayerrc.json in your project root:

`json
{
"exclude": ["/.test.ts", "/__mocks__/*"],
"ignorePaths": ["sample-data", "fixtures"],
"safeHttpDomains": ["my-internal-cdn.com"],
"contextLines": 3,
"categories": ["phi-exposure", "encryption", "access-control"]
}
`

| Option | Description | Default |
|--------|-------------|---------|
| exclude | Glob patterns to skip | [] |
| ignorePaths | Path substrings to ignore | [] |
| safeHttpDomains | HTTP domains to allow (CDNs) | Built-in list |
| contextLines | Lines of context in reports | 2 |
| categories | Categories to scan | All |

---

CLI Reference

`bash


Basic scan

vlayer scan

Scan options

vlayer scan -f html -o report.html # HTML report
vlayer scan -f markdown -o report.md # Markdown report
vlayer scan -c phi-exposure encryption # Specific categories
vlayer scan --fix # Auto-fix issues

Watch mode

vlayer watch # Watch for changes
vlayer watch -c phi-exposure # Watch specific categories
vlayer watch --config .vlayerrc.json # Watch with custom config
vlayer watch --min-confidence high # Watch with confidence filter

Audit commands

vlayer audit --summary # View audit summary
vlayer audit --generate-report # Generate PDF
vlayer audit --generate-report --text # Generate text instead
vlayer audit --generate-report --org "Company" --auditor "Name"

Baseline commands

vlayer baseline # Generate baseline
vlayer baseline -o custom.json # Custom output path
vlayer scan --baseline .vlayer-baseline.json # Scan with baseline

Compliance score

vlayer score # Calculate compliance score
vlayer score -f json # JSON output
vlayer score --baseline baseline.json # Score with baseline

Auditor reports

vlayer report # Generate auditor report
vlayer report -o report.html # Custom output path
vlayer report --org "Company Name" # Set organization
vlayer report --include-baseline # Include baseline comparison
`

Exit codes:
- 0 - No critical issues
- 1 - Critical issues found (useful for CI/CD)

---

HIPAA References

Each finding maps to specific HIPAA regulations:

| Reference | Requirement |
|-----------|-------------|
| §164.502, §164.514 | PHI disclosure and de-identification |
| §164.312(a)(1) | Access control mechanisms |
| §164.312(a)(2)(iv) | Encryption and decryption |
| §164.312(b) | Audit controls |
| §164.312(d) | Person or entity authentication |
| §164.312(e)(1) | Transmission security |
| §164.530(j) | Documentation retention (6 years) |

---

Roadmap

$3

- [x] Phase 4E: Authentication & User Management
- [x] Supabase Auth integration
- [x] Email/password authentication flow
- [x] Login and signup pages with dark theme
- [x] Protected routes via Next.js middleware
- [x] User session management
- [x] User profile display in sidebar
- [x] Logout functionality
- [x] Environment variables configured in Vercel
- [x] Phase 4D: Custom Domain Configuration
- [x] Configured custom domains on vlayer.app
- [x] Dashboard: app.vlayer.app
- [x] Playground: play.vlayer.app
- [x] Documentation: docs.vlayer.app
- [x] Landing page: vlayer.app
- [x] Automatic DNS configuration via Vercel
- [x] SSL/TLS certificates provisioned for all domains
- [x] Updated all cross-project links
- [x] Phase 4C: Dashboard Consolidation
- [x] Moved landing page to separate repo (vlayer-website)
- [x] Dashboard now at root route (/) instead of /dashboard
- [x] Simplified route structure (/, /projects, /projects/[id])
- [x] Removed route groups for cleaner app organization
- [x] Dashboard-focused application architecture
- [x] Phase 4A: Web Dashboard (Enterprise Redesign)
- [x] Next.js dashboard deployed to Vercel
- [x] Enterprise-grade dark navy theme with emerald accents
- [x] Fixed sidebar navigation with VLayer branding
- [x] Circular progress gauges with animations
- [x] Multi-project management with REST API
- [x] Status badges (Compliant/At Risk/Critical)
- [x] Historical score tracking with visual charts
- [x] Demo data with 4 realistic projects
- [x] Glassmorphism effects and professional shadows
- [x] Responsive design optimized for all devices
- [x] Phase 3B: Dashboard & Compliance Score
- [x] HIPAA Compliance Score (0-100) with severity weighting
- [x] Enhanced HTML reports with visual gauge
- [x] Auditor-ready reports with SHA256 hash
- [x] Executive summary and filterable findings table
- [x] Print-friendly CSS for PDF export
- [x] Phase 3A: IDE & Developer Experience
- [x] VS Code Extension v2.0 with real-time scanning
- [x] Watch mode for continuous monitoring
- [x] Inline diagnostics with hover tooltips
- [x] Quick-fix actions and status bar integration
- [x] Phase 2B: Enhanced Custom Rules
- [x] Semantic awareness for custom rules
- [x] Pattern-aware context detection
- [x] Confidence level controls
- [x] Phase 2A: Semantic Context Analysis
- [x] AST-based semantic analysis
- [x] Context-aware confidence levels
- [x] Test file detection
- [x] Phase 1B: Reusable GitHub Action
- [x] GitHub Action for CI/CD integration
- [x] Enhanced npm package
- [x] Baseline and suppression systems

$3

- [ ] Slack/Teams notifications for new findings
- [ ] CLI integration with dashboard auto-upload
- [ ] Database backend for dashboard (currently file-based)

$3

- [ ] HITRUST CSF mapping
- [ ] SOC 2 compliance checks
- [ ] AWS/GCP/Azure infrastructure scanning
- [ ] Team dashboard with trend tracking
- [ ] Jira/Linear integration for issue tracking

$3

- [ ] AI-powered fix suggestions
- [ ] Dependency vulnerability scanning
- [ ] Runtime PHI detection agent
- [ ] Compliance certification workflows

---

Contributing

Contributions are welcome! Please read our contributing guidelines before submitting PRs.

`bash


Development


npm install
npm run dev # Watch mode
npm run test # Run tests
npm run lint # Lint code
``

---

License

MIT License - see LICENSE for details.

---

Built for healthcare developers who take compliance seriously.


Report Bug
·
Request Feature