repo-risk-radar is a practical security risk scanner for open-source maintainers. It looks for high-signal issues that often create maintainer load: risky GitHub Actions patterns, possible committed secrets, missing security policies, and weak release or contributor hygiene.
The goal is not to replace a full security audit. The goal is to give maintainers a quick, readable first pass before reviewing a pull request, preparing a release, or tightening a repository.
python -m pip install repo-risk-radarFor local development:
python -m pip install -e ".[dev]"Scan a repository:
repo-risk-radar scan .Emit JSON for automation:
repo-risk-radar scan . --format jsonList available rules:
repo-risk-radar rules- GitHub Actions workflows with missing or broad permissions.
pull_request_targetusage that deserves careful review.- GitHub Actions references that are not pinned to a commit SHA.
- Workflow steps that pipe remote downloads into shell interpreters.
- Possible private keys, cloud access keys, or long token-like assignments.
- Missing
SECURITY.md,LICENSE, changelog, issue templates, or contributing guide.
{
"findings": [
{
"line": 8,
"message": "Action reference 'actions/checkout@v4' is mutable or missing a commit SHA.",
"path": ".github/workflows/ci.yml",
"recommendation": "Pin third-party actions to a reviewed 40-character commit SHA.",
"rule_id": "GHA004",
"severity": "medium",
"title": "Action reference is not pinned to a commit SHA"
}
],
"path": "/path/to/repo",
"summary": {
"medium": 1
}
}This project is new and intentionally modest. It is meant to become useful through focused rules, maintainer feedback, tests, and clear remediation guidance.
See CONTRIBUTING.md for setup and contribution guidelines.
See SECURITY.md for vulnerability reporting.
MIT. See LICENSE.