Multi-Framework Support
Works with Playwright, Puppeteer, Cypress, and Selenium WebDriver. Same API, same rules - integrates seamlessly with your existing test suite.
New 250+ Security Rules
Fortify Your
Defenses
Security auditing for Playwright, Puppeteer, Cypress & Selenium WebDriver. Run 250+ vulnerability checks alongside your functional tests. Catch issues before attackers do.
250+
Security Rules
48
Categories
<1s
Scan Time
import { SecurityAuditor } from 'qastell'; test('security audit', async ({ page }) => { await page.goto('https://your-app.com'); const auditor = new SecurityAuditor(page); await auditor.assertNoViolations(); // Your app is now fortified });
The Name
Defense is universal. Castle in English, Kastell in German, Castell in Welsh, Castel in Romanian – all from Latin castellum, the fortress that protects what matters.
QAstell brings that same principle to test automation: a fortress built into your CI/CD pipeline.
Built for Modern Security
Everything you need to catch vulnerabilities in your web applications before they reach production.
250+ Security Rules
Comprehensive coverage across XSS, CSRF, injection attacks, misconfigurations, and dozens more vulnerability types.
CVSS Severity
Industry-standard severity ratings with OWASP Top 10 and CWE references for every finding.
Multiple Reports
Export to HTML, JSON, JUnit XML for CI/CD, or SARIF for GitHub/GitLab code scanning. See live examples →
Lightning Fast
Scans complete in under a second. Run security checks on every commit without slowing down your CI/CD.
Configurable
Include or exclude rule categories, set severity thresholds, skip specific rules. Full control over your scans.
Get Started in Minutes
From install to your first security scan in four simple steps.
-
Install
npm install qastell
-
Import
Add SecurityAuditor to your test
-
Scan
Run audit on any page
-
Fix
Review report and remediate
Try It Now - 30 Seconds
Copy, paste into your terminal, hit Enter. That's it.
npx -y create-playwright@latest qastell-demo --quiet && cd qastell-demo && npm i qastell && echo 'import{test}from"@playwright/test";import{SecurityAuditor}from"qastell";test("security",async({page})=>{await page.goto("https://example.com");const a=new SecurityAuditor(page);const r=await a.audit();console.log("Issues:",r.summary.total,"| Critical:",r.summary.bySeverity.critical,"| High:",r.summary.bySeverity.high);});' > tests/security.spec.ts && npx playwright test security --reporter=list
mkdir -p qastell-demo && cd qastell-demo && npm init -y && npm i qastell puppeteer && node -e 'const p=require("puppeteer"),{SecurityAuditor}=require("qastell");(async()=>{const b=await p.launch(),pg=await b.newPage();await pg.goto("https://example.com");const a=new SecurityAuditor(pg),r=await a.audit();console.log("Issues:",r.summary.total,"| Critical:",r.summary.bySeverity.critical,"| High:",r.summary.bySeverity.high);await b.close()})();'
mkdir -p qastell-demo/cypress/e2e && cd qastell-demo && npm init -y && npm i qastell cypress && echo 'const{defineConfig}=require("cypress");module.exports=defineConfig({e2e:{supportFile:false}})' > cypress.config.js && echo 'const{SecurityAuditor}=require("qastell");it("security",()=>{cy.visit("https://example.com");cy.window().then(async(win)=>{const a=new SecurityAuditor(win),r=await a.audit();cy.log("Issues: "+r.summary.total+" | Critical: "+r.summary.bySeverity.critical+" | High: "+r.summary.bySeverity.high)})})' > cypress/e2e/security.cy.js && npx cypress run --spec cypress/e2e/security.cy.js
mkdir -p qastell-demo && cd qastell-demo && npm init -y && npm i qastell selenium-webdriver && node -e 'const{Builder}=require("selenium-webdriver"),chrome=require("selenium-webdriver/chrome"),{SecurityAuditor}=require("qastell");(async()=>{const o=new chrome.Options();o.addArguments("--headless","--no-sandbox");const d=await new Builder().forBrowser("chrome").setChromeOptions(o).build();await d.get("https://example.com");const a=new SecurityAuditor(d),r=await a.audit();console.log("Issues:",r.summary.total,"| Critical:",r.summary.bySeverity.critical,"| High:",r.summary.bySeverity.high);await d.quit()})();'
Works on macOS, Linux, and Windows (with WSL). Requires Node.js 18+.
Playwright users: First-time setup may require sudo npx playwright install-deps for system dependencies.
WebDriver users: Requires Chrome browser installed. ChromeDriver is downloaded automatically.
Security tip: Always review commands before running them. These install packages from npm and execute code.
Simple, Transparent Pricing
Start free, upgrade when you need more. No hidden fees. All prices include VAT.
Free (Non-Commercial)
€0
For personal & open source projects
- 10 scans per day
- All 250+ security rules
- HTML reports
- Single worker only
- Community support
- Non-commercial use only
Enterprise
€99/month
For growing teams
- 100 scans per day
- All 250+ security rules
- HTML + JSON + JUnit reports
- Unlimited parallel workers
- Jenkins/CI integration
- Email support
Corporate
€499/month
For large organizations
- Unlimited scans
- All 250+ security rules
- All reports (HTML/JSON/JUnit/SARIF)
- Unlimited parallel workers
- GitHub/GitLab code scanning
- Priority support
48 Security Categories
Comprehensive coverage for modern web application vulnerabilities.
Ready to Fortify Your Defenses?
Start scanning for vulnerabilities in minutes. No credit card required for free tier.
Get Started Free