Skip to content

zanesense/reposec

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

17 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

RepoSec

Find the security gaps in your public GitHub repo β€” before attackers do.

RepoSec is a defensive, read-only scanner that audits a public GitHub repository and returns a clear, prioritized security report. It checks for exposed .env files, missing .gitignore rules, hardcoded secret patterns in source and deployed JavaScript bundles, missing SECURITY.md and CODEOWNERS, weak CI, Dockerfile misconfigurations, dependency hygiene, and more.

The scanner never modifies the target repository and never exfiltrates its data. It is a hygiene tool, not an offensive one.

Live Demo License: MIT Version npm package Stars Issues PRs Language Framework React Last commit

πŸš€ Try the live demo β†’ β€” paste any public GitHub URL and get a security report in seconds. No signup, no token required.


🧭 Quick Links

Link Description
🌐 Live demo Hosted scanner at reposec.zanesense.dev
πŸ“¦ npm package Run the local CLI with npx reposec
πŸ“¦ Repository Source code, issues, and releases
πŸ› Issue tracker Report bugs and request features
πŸ”€ Pull requests Open a PR to contribute
⭐ Stargazers See who starred the project
πŸ“„ License MIT terms

πŸ—‚οΈ Table of Contents


πŸ“– Overview

Most repository leaks do not start with a sophisticated exploit. They start with a committed .env, a missing SECURITY.md, or a CI workflow with write-all permissions. RepoSec is a fast, opinionated linter for your repository's public surface: paste a GitHub URL, get a security score, a category-by-category pass/fail breakdown, severity-grouped findings, and copy-pasteable fixes.

It is built for:

  • πŸ§‘β€πŸ’» Maintainers who want a quick hygiene check before tagging a release.
  • πŸ›‘οΈ Security engineers who need a free, no-signup pre-audit for open-source projects.
  • πŸ“š Educators and students who want to teach the basics of repo hardening with a live report.
  • πŸ€– LLM-assisted workflows β€” every finding ships with a fix prompt you can paste into your editor agent.

Why a defensive tool? Because catching mistakes early is cheaper, friendlier, and more effective than chasing them after a leak. RepoSec is intentionally framed as a scanner, not an exploit kit.


✨ Features

  • πŸ” 12 static check modules covering env hygiene, secrets, docs, scripts, GitHub features, container hygiene, community health, CI quality, repo metadata, source patterns, and dependencies.
  • 🧠 55+ secret patterns out of the box, ported from the gitleaks ruleset: OpenAI, Anthropic (incl. admin), Groq, HuggingFace (user + org), Perplexity, Notion, GitHub (classic + fine-grained), GitLab, npm, PyPI, Slack (tokens + webhook URLs), Discord, Telegram, Twilio, SendGrid, Mailgun, Stripe (live + test), Google API, AWS (AKIA/ASIA + Bedrock ABSK + secret keys), Azure AD, Alibaba, Heroku, Pulumi, Fly.io, New Relic, Dynatrace, Grafana Cloud, Databricks, HashiCorp Vault (service + batch), Terraform Cloud, EasyPost, ReadMe, Prefect, Sourcegraph, Microsoft Teams webhooks, private key blocks, SSH public keys, generic JWTs, database URLs, curl auth in shell commands, and generic credential assignments.
  • πŸ“Š Security score (0–100) with bands: Excellent, Good, Fair, Weak, Critical.
  • πŸ—‚οΈ Per-category breakdown showing exactly which checks passed, failed, warned, or were missing.
  • 🧾 Severity-grouped findings with masked evidence and a "Fix it like this" panel.
  • πŸ“₯ One-click exports for:
    • Markdown report
    • JSON report
    • SARIF report for GitHub Code Scanning
    • SECURITY.md template
    • .env.example template
    • GitHub issue checklist
    • LLM fix prompt
  • πŸŒ— Polished UI with a RepoSec design system, light/dark theming, and accessible shadcn-style primitives.
  • πŸ§ͺ Read-only by design β€” no writes, no auth, no database, no telemetry beyond the GitHub API.
  • 🐒 No GitHub auth required for public repos. Optional token raises the rate limit to 5000 req/h.

New scanner capabilities

  • Full-repo secret file selection: RepoSec fetches likely secret-bearing files across the tree, including JS/TS, Python, env files, shell scripts, Terraform, config files, keys, SQL, and source maps while skipping dependencies, build output, binary-heavy files, and oversized blobs.
  • Deployed bundle scanning: paste an optional deployed app URL and RepoSec fetches the public page, discovers JavaScript bundles and source maps, and scans the same assets users can inspect in Chrome DevTools Sources. If the repo metadata has a homepage URL, the API attempts that scan automatically.
  • SARIF export: reports can be exported as SARIF for GitHub Code Scanning and compatible security dashboards.
  • Baseline suppression: reviewed findings can be ignored with .reposecignore, reposec-baseline.json, or .reposec-baseline.json by matching finding id, fingerprint, file, file:line, or title.
  • Local CLI: scan private/local repos without uploading contents using npx reposec .; add --history to scan recent git history, --format sarif for CI output, and --color or --no-color to control terminal formatting.
  • Confidence and fingerprints: secret findings include confidence, fingerprint, and optional verified metadata. Raw secret values stay server-side and evidence remains masked.
  • Opt-in verification: supported GitHub, Stripe, and HuggingFace tokens can be verified live with the web checkbox, API verify: true, or CLI --verify.

🧠 How It Works

RepoSec is a server-rendered Next.js application. The browser is a thin client; the real work happens in app/api/scan/route.ts.

flowchart TD
    A[User pastes a public GitHub URL] --> B[Client posts to /api/scan]
    A2[Optional deployed app URL] --> B
    B --> C[Server parses owner/repo]
    C --> D[GitHub REST API: repo metadata]
    D --> E[GitHub tree API: file tree]
    E --> F[Fetch important files and likely secret-bearing source files]
    B --> X[Fetch deployed HTML, JS bundles, and source maps]
    F --> G[Rule-based scanner: 12 modules]
    X --> G
    G --> H[Score calculation: 100 minus weighted findings]
    H --> I[ScanReport JSON]
    I --> J[Client renders score, tabs, findings]
    J --> K[Exports: Markdown, JSON, SECURITY.md, .env.example, issue checklist, fix prompt]
Loading

Key design choices:

  • Server-side fetching keeps the GitHub token (if any) out of the browser and avoids CORS surprises.
  • Static rule engine in lib/scanner.ts β€” easy to extend, deterministic, easy to test.
  • Bounded client-bundle scanning only fetches public HTTPS pages/assets, caps file sizes, and blocks private/internal hosts.
  • No persistence: a scan is a single request/response cycle. There is no database to leak.

πŸ—‚οΈ Repository Structure

reposec/
β”œβ”€β”€ app/
β”‚   β”œβ”€β”€ layout.tsx                # Root layout: fonts, theme, nav, footer, toaster
β”‚   β”œβ”€β”€ page.tsx                  # Landing page with sample repos
β”‚   β”œβ”€β”€ globals.css               # Tailwind v4 + RepoSec design tokens
β”‚   β”œβ”€β”€ loading.tsx               # Global loading skeleton
β”‚   β”œβ”€β”€ not-found.tsx             # Custom 404
β”‚   β”œβ”€β”€ scan/page.tsx             # Scan-in-progress + result view
β”‚   β”œβ”€β”€ report/page.tsx           # Alias of /scan, re-runs from query params
β”‚   └── api/scan/route.ts         # Server-side scanner endpoint
β”‚
β”œβ”€β”€ components/
β”‚   β”œβ”€β”€ navbar.tsx                # Top navigation
β”‚   β”œβ”€β”€ footer.tsx                # Site footer
β”‚   β”œβ”€β”€ repo-input.tsx            # GitHub URL input + sample repos
β”‚   β”œβ”€β”€ security-score.tsx        # SVG score gauge with band
β”‚   β”œβ”€β”€ finding-card.tsx          # Severity-grouped finding card
β”‚   β”œβ”€β”€ risk-badge.tsx            # Severity badge
β”‚   β”œβ”€β”€ report-tabs.tsx           # Overview / Findings / Fixes / Checks / Files / Export
β”‚   β”œβ”€β”€ export-button.tsx         # Copy + download for one export item
β”‚   β”œβ”€β”€ scan-view.tsx             # Scan state machine + UI
β”‚   β”œβ”€β”€ star-prompt.tsx           # Friendly star CTA
β”‚   β”œβ”€β”€ doodles.tsx               # Decorative SVG illustrations
β”‚   └── ui/                       # shadcn-style primitives (button, card, input, badge, tabs, skeleton, dialog)
β”‚
β”œβ”€β”€ lib/
β”‚   β”œβ”€β”€ baseline.ts               # .reposecignore / baseline suppression
β”‚   β”œβ”€β”€ client-bundle.ts          # Public deployed JS bundle and source-map fetcher
β”‚   β”œβ”€β”€ fingerprint.ts            # Stable secret fingerprints for dedupe/baselines
β”‚   β”œβ”€β”€ github.ts                 # GitHub API client, URL parsing, error model
β”‚   β”œβ”€β”€ local-repo.ts             # Local filesystem and git-history scan loader
β”‚   β”œβ”€β”€ rules.ts                  # Secret pattern catalog + severity helpers
β”‚   β”œβ”€β”€ scan-targets.ts           # Shared scannable file/path selection
β”‚   β”œβ”€β”€ scanner.ts                # Rule-based scanner (12 modules, per-check pass/fail)
β”‚   β”œβ”€β”€ scoring.ts                # Score calculation and band assignment
β”‚   β”œβ”€β”€ exporters.ts              # Markdown / JSON / SARIF / templates / fix prompt
β”‚   β”œβ”€β”€ types.ts                  # Shared TypeScript types
β”‚   β”œβ”€β”€ verification.ts           # Opt-in supported-token verification
β”‚   └── utils.ts                  # cn(), formatters, secret masking
β”‚
β”œβ”€β”€ public/
β”‚   β”œβ”€β”€ favicon.svg               # RepoSec shield favicon
β”‚   └── screenshots/              # Captured Playwright screenshots of the live UI
β”‚
β”œβ”€β”€ scripts/
β”‚   β”œβ”€β”€ capture-screenshots.mjs   # Playwright screenshot pipeline (npm run screenshots)
β”‚   β”œβ”€β”€ reposec-cli.mts           # Local CLI scanner (npm run scan:local)
β”‚   β”œβ”€β”€ test-client-bundle.mts    # Deployed JS bundle regression test
β”‚   └── test-scanner.mts          # Rule-engine regression tests
β”‚
β”œβ”€β”€ .env.example                  # Template for optional GITHUB_TOKEN
β”œβ”€β”€ eslint.config.mjs             # ESLint 9 + Next + TypeScript configs
β”œβ”€β”€ next.config.ts                # Next.js config
β”œβ”€β”€ postcss.config.mjs            # Tailwind v4 PostCSS plugin
β”œβ”€β”€ tsconfig.json                 # Strict TypeScript config
β”œβ”€β”€ package.json                  # Scripts and dependencies
└── README.md                     # You are here

RepoSec is distributed under the MIT License. See LICENSE for the full terms.


πŸ“¦ Technologies

Layer Choice
Framework Next.js 16 (App Router)
Language TypeScript 5 (strict mode)
UI runtime React 19
Styling Tailwind CSS v4 + RepoSec design tokens
UI primitives shadcn-style components, locally authored (no CLI dependency)
Icons Lucide
Toasts Sonner
Class utilities clsx, tailwind-merge, class-variance-authority
Animations tw-animate-css
Data source GitHub REST API + raw file downloads (no auth required)
Visual regression Playwright (screenshot capture script)
Linting ESLint 9 + eslint-config-next (core-web-vitals + typescript)
Type checking tsc --noEmit

βœ… Requirements

  • Node.js β‰₯ 18.18 (Node 20 LTS recommended)
  • npm β‰₯ 9 (or any compatible package manager: pnpm, yarn, bun)
  • A modern browser (the UI uses CSS :has(), color-mix, and modern flex/grid)
  • Optional: a GitHub personal access token for higher rate limits

No database, no Docker, no cloud account required for the MVP.


πŸš€ Installation

# 1. Clone the repository
git clone https://github.com/zanesense/reposec.git
cd reposec

# 2. Install dependencies
npm install

# 3. (Optional) Set up environment variables
cp .env.example .env.local
# then edit .env.local and add your GITHUB_TOKEN

# 4. Start the dev server
npm run dev

Open http://localhost:3000 and paste a public GitHub URL, e.g. https://github.com/vercel/next.js.

npm CLI

Run RepoSec on any local checkout without installing the web app:

# One-off scan with npm
npx reposec .

# Or install globally
npm install -g reposec
reposec .

Production build

npm run build
npm run start

πŸ”§ Configuration

RepoSec is configured entirely through environment variables. There are no config files to edit and no database to provision.

Variable Description Required Example
GITHUB_TOKEN Personal access token (classic or fine-grained, public repos only). Raises rate limit to 5000/h. No ghp_xxx...

Create a local .env.local (or .env) from the template:

cp .env.example .env.local

If you skip this step, the scanner still works β€” you just share the 60 req/h anonymous rate limit. Rate-limit hits surface as a friendly error in the UI, courtesy of the GitHubError model in lib/github.ts:54.


πŸ› οΈ Usage

Web UI

  1. Run npm run dev and open http://localhost:3000.
  2. Paste a public GitHub URL (or pick a sample repo).
  3. Optionally paste a deployed app URL to scan production JavaScript bundles and source maps.
  4. Optionally enable supported-token verification for GitHub, Stripe, and HuggingFace tokens.
  5. Watch the per-stage loader (metadata β†’ tree β†’ files β†’ deployed bundles β†’ rules β†’ score).
  6. Explore the report tabs:
    • Overview β€” score gauge, severity counts, repo metadata, category breakdown.
    • Findings β€” every finding as a card with masked evidence and a "Fix it like this" panel.
    • Fixes β€” consolidated checklist.
    • Checks β€” full per-check pass/fail/warn table.
    • Files β€” file-grouped view of findings.
    • Export β€” copy or download the artifacts.

Local CLI

Scan a local checkout without using the web UI:

# Markdown report to stdout
npx reposec .

# Include recent git history blobs
npx reposec . --history

# Scan deployed public JS bundles too
npx reposec . --site https://your-app.example.com

# Write SARIF for GitHub Code Scanning or CI dashboards
npx reposec . --format sarif --out reposec.sarif

# Opt in to supported live token verification
npx reposec . --verify

# Force or disable colored terminal Markdown output
npx reposec . --color
npx reposec . --no-color

Inside this repository, npm run scan:local -- . runs the same CLI from source.

Baseline files are honored in both web/API and local CLI scans:

# .reposecignore
src/config.ts:12
secret-generic-api-key-assignment-src/config.ts-12
0123456789abcdef
{
  "ignore": [
    { "file": "src/config.ts", "line": 12 },
    { "fingerprint": "0123456789abcdef" }
  ]
}

Programmatic API

The scanner is exposed as a single POST endpoint:

POST /api/scan
Content-Type: application/json

{
  "url": "https://github.com/vercel/next.js",
  "siteUrl": "https://nextjs.org",
  "verify": false
}

Successful response:

{
  "ok": true,
  "report": {
    "repo": { "owner": "vercel", "repo": "next.js", "defaultBranch": "canary", "isPrivate": false },
    "score": 86,
    "scoreBand": "good",
    "summary": { "totalChecks": 42, "passed": 36, "failed": 4, "totalFindings": 6, "...": "..." },
    "findings": [ { "id": "...", "title": "...", "severity": "high", "category": "secret", "...": "..." } ],
    "scannedAt": "2026-06-05T08:00:00.000Z",
    "durationMs": 1480
  }
}

Error responses use stable code values: not_found, private, rate_limited, invalid, unknown.

Screenshots

Landing page

RepoSec landing page

Scanning state

RepoSec scan-in-progress loader

Report overview

RepoSec report overview

Findings tab

RepoSec findings tab

Export tab

RepoSec export tab

To regenerate them: npm run screenshots (builds the app, serves it on port 4001, and captures each route with Playwright).


πŸ§ͺ Testing

RepoSec ships with scanner regression tests, a deployed-bundle fixture test, screenshot-driven visual baselines, and a strict type/lint pipeline.

# Type check (strict TypeScript)
npm run typecheck

# Lint (ESLint 9 + Next + TypeScript)
npm run lint

# Build the production bundle (catches many runtime issues at build time)
npm run build

# Run rule-engine and deployed-bundle scanner regressions
npm run test:scanner

# Regenerate the public/screenshots/ baseline
npm run screenshots

# Wipe build artifacts and the TS incremental cache
npm run clean

πŸ“Š Project Flow

End-to-end scan lifecycle:

sequenceDiagram
    participant U as User
    participant W as Web UI (Next.js client)
    participant A as /api/scan (Next.js server)
    participant G as GitHub REST API
    participant B as Public deployed JS bundles
    participant R as Rule engine (lib/scanner.ts)
    participant S as Scoring (lib/scoring.ts)

    U->>W: Paste a public GitHub URL
    W->>A: POST { url }
    A->>G: GET /repos/{owner}/{repo}
    G-->>A: Repo metadata
    A->>G: GET /repos/{owner}/{repo}/git/trees/{branch}?recursive=1
    G-->>A: File tree
    A->>G: GET raw files (README, source, config, workflows, ...)
    G-->>A: File contents
    A->>B: GET HTML, JS bundles, source maps (optional)
    B-->>A: Public client assets
    A->>R: runScan(repoData)
    R-->>A: findings + summary + checks
    A->>S: calculateScore(findings)
    S-->>A: score + band
    A-->>W: { ok: true, report }
    W-->>U: Render score, tabs, exports
Loading

πŸ“š API Reference

POST /api/scan

Validates a public GitHub URL, fetches repo data, runs the static scanner, and returns a ScanReport.

Request body

Field Type Required Description
url string yes Full public GitHub URL, e.g. https://github.com/owner/repo. Trailing slashes and .git suffixes are tolerated.
siteUrl string no Optional public deployed app URL. RepoSec fetches public JS bundles and source maps from this site and scans them for secrets. HTTPS is enforced outside tests.
verify boolean no Opt in to supported live token verification. Currently GitHub, Stripe, and HuggingFace are checked with bounded requests. Defaults to false.

Response (200)

interface ScanResponse {
  ok: true;
  report: ScanReport;
}

Where ScanReport is defined in lib/types.ts and includes repo, score, scoreBand, summary, findings, filesChecked, fileGroups, scannedAt, and durationMs. Secret findings may also include confidence, fingerprint, and verified metadata.

Error responses

Status code Meaning
400 β€” Invalid JSON body or unparseable URL.
404 not_found The repository does not exist or is not public.
502 rate_limited GitHub rate limit reached (anonymous or token).
502 private The repository is private or access is restricted.
500 unknown Unexpected server error.

Example error body:

{
  "error": "API rate limit exceeded for your IP.",
  "code": "rate_limited",
  "status": 403
}

🧩 Examples

Try these public repositories

Repository Why scan it
vercel/next.js Large, well-run project β€” should score in the Good band.
facebook/react Tests CI and metadata heuristics at scale.
expressjs/express Classic Node.js project β€” interesting .gitignore and CI behavior.

What a finding looks like

{
  "id": "secret-stripe-live",
  "title": "Stripe live secret key",
  "description": "Looks like a live Stripe secret key. Roll the key if real.",
  "severity": "critical",
  "category": "secret",
  "confidence": "high",
  "fingerprint": "0123456789abcdef",
  "verified": false,
  "file": "src/config.ts",
  "line": 12,
  "evidence": "sk_l_********************def0",
  "fix": "Move the key to an environment variable and reference it via process.env.",
  "fixPrompt": "In src/config.ts:12, replace the hardcoded Stripe key with an env var..."
}

The scanner masks secrets to prefix****suffix before they ever leave the server, so the UI never displays the raw value.


🚒 Deployment

RepoSec is a standard Next.js 16 app. It works on any platform that supports the Node.js runtime.

Vercel (recommended)

# Install the Vercel CLI if you don't have it
npm i -g vercel

# Deploy from the project root
vercel

Add GITHUB_TOKEN as an environment variable in the Vercel project settings if you want a higher rate limit.

Docker

TODO: A Dockerfile is not yet committed. The recommended shape is:

# syntax=docker/dockerfile:1
FROM node:20-alpine AS deps
WORKDIR /app
COPY package.json package-lock.json ./
RUN npm ci

FROM node:20-alpine AS builder
WORKDIR /app
COPY --from=deps /app/node_modules ./node_modules
COPY . .
RUN npm run build

FROM node:20-alpine AS runner
WORKDIR /app
ENV NODE_ENV=production
COPY --from=builder /app/.next ./.next
COPY --from=builder /app/public ./public
COPY --from=builder /app/package.json ./package.json
COPY --from=builder /app/node_modules ./node_modules
EXPOSE 3000
CMD ["npm", "run", "start"]

Self-hosted Node

npm run build
GITHUB_TOKEN=ghp_xxx npm run start

The server listens on port 3000 by default. Override with PORT=4000 npm run start.


🧭 Roadmap

Planned and aspirational improvements:

  • 🧠 Optional LLM layer β€” "Bring Your Own Key" provider to add narrative remediation to the report.

  • πŸ§ͺ Unit tests β€” expand the current scanner regression suite into Vitest coverage for lib/scanner.ts, lib/rules.ts, and lib/scoring.ts.

  • 🐳 Container hardening β€” committed Dockerfile and docker-compose.yml.

  • 🌐 i18n β€” multi-language report exports.

  • πŸ”Œ GitHub App mode β€” comment the report on PRs via a public GitHub App.

  • πŸ“¦ More ecosystems β€” Python (requirements.txt, pyproject.toml), Go (go.mod), Rust (Cargo.toml) lockfile and audit checks.

  • πŸͺ Webhooks β€” scheduled scans for the repos you watch.

  • πŸͺͺ License detection β€” extend SPDX detection beyond the GitHub API metadata.

  • πŸ” More verifiers β€” add safe opt-in verification support for more providers without exposing raw secrets in reports.

TODO: A separate ROADMAP.md is not currently checked in. The list above is the source of truth until it is.


🀝 Contributing

Contributions are very welcome β€” especially new secret patterns and new check modules.

  1. Fork the repository on GitHub.
  2. Clone your fork and create a feature branch:
    git checkout -b feat/add-discord-token-pattern
  3. Install dependencies and start the dev server:
    npm install
    npm run dev
  4. Make your changes. When adding a new secret pattern, edit lib/rules.ts:10 and follow the existing SecretPattern shape.
  5. Run the quality checks before committing:
    npm run lint
    npm run typecheck
    npm run build
  6. Commit with a descriptive message:
    git commit -m "feat(scanner): add Discord bot token pattern"
  7. Push your branch and open a pull request against main:
    git push origin feat/add-discord-token-pattern

Please open an issue first if your change is large or design-related.


πŸ“ Changelog

TODO: A CHANGELOG.md is not yet committed. Notable milestones to seed it with:

  • 0.1.0 β€” Initial MVP. Landing page, 12 check modules, 55+ secret patterns (ported from the gitleaks ruleset), score + band, exports (Markdown, JSON, SECURITY.md, .env.example, issue checklist, fix prompt), Playwright screenshot baseline.
  • 0.2.0 β€” Full-tree secret target selection, deployed JavaScript bundle scanning, SARIF export, local CLI, git-history scanning, baseline suppression, confidence/fingerprint metadata, opt-in supported-token verification, and bundle scanner regression tests.

πŸ› Troubleshooting

Symptom Cause Fix
API rate limit exceeded on the first scan Anonymous GitHub limit (60 req/h) was hit. Add GITHUB_TOKEN to .env.local and restart the dev server.
Repository not found for a repo you can see in the browser The URL is wrong, the repo is private, or it was renamed. Double-check the URL. RepoSec only scans public repos.
Scan returns 0 findings and a perfect score The repo is small or has no scannable files (yet). Try a larger public repo, e.g. vercel/next.js.
.env.local is missing after cp .env.example .env.local on Windows PowerShell cp is not a native cmdlet. Use Copy-Item .env.example .env.local instead.
npm run screenshots fails Playwright browsers are not installed. Run npx playwright install once before the first capture.
Deployed bundle scan finds no assets The site URL is missing, not HTTPS, blocks server-side requests, or does not expose JS bundles through normal script/modulepreload tags. Enter the public production URL manually and confirm the bundles are reachable without authentication.
CLI SARIF output is empty No findings matched after baseline suppression. Run npx reposec . --format json and inspect summary.checks and filesChecked.
A reviewed finding keeps returning No baseline entry matches its id, fingerprint, file, or file:line. Add the exact finding location or fingerprint to .reposecignore or reposec-baseline.json.
Build complains about a missing next-env.d.ts The file is generated by Next.js on first run. Run npm run dev once, or delete .next and rebuild.
Type errors after pulling new code The incremental cache is stale. Run npm run clean followed by npm run typecheck.

πŸ”’ Security

RepoSec is a defensive security tool. It is designed to help maintainers find their own mistakes, not to weaponize findings.

  • βœ… The scanner is read-only. It never writes to the target repository.
  • βœ… The scanner is stateless. No scan data is stored on the server.
  • βœ… The scanner masks secrets before they appear in the UI or exports.
  • βœ… Live verification is opt-in and raw candidates are discarded before reports are returned.
  • βœ… Deployed bundle scanning is bounded to public HTTPS assets and blocks private/internal hosts.
  • βœ… The scanner is branded defensively β€” the copy and code avoid language like "hack", "exploit", "bypass", or "steal".

To report a vulnerability in RepoSec itself, please open a private security advisory on GitHub:

https://github.com/zanesense/reposec/security/advisories/new

For supported versions and response timelines, see SECURITY.md.

Never commit real secrets to this repository. The included .gitignore already excludes .env* (with .env.example whitelisted as a template).


πŸ“„ License

RepoSec is licensed under the MIT License. See LICENSE for the full license text.


❀️ Acknowledgements

  • πŸ›‘οΈ Inspired by the public hardening checklists from GitHub, OWASP, and Snyk.
  • 🎨 UI primitives adapted from the shadcn/ui patterns, locally authored and customised.
  • πŸ–ΌοΈ Icons by Lucide.
  • πŸ”” Toasts by Sonner.
  • πŸ€– Build tooling by Next.js, React, Tailwind CSS, and TypeScript.
  • πŸ§ͺ Visual baseline by Playwright.
  • πŸ’› Thanks to every maintainer who takes repo hygiene seriously.

⬆️ Back to top Β Β·Β  🌐 Live demo Β Β·Β  πŸ“¦ Repository Β Β·Β  πŸ› Report a bug Β Β·Β  πŸ“„ MIT License

About

Defensive, read-only GitHub repo scanner that finds secrets, exposed files, weak CI, missing security docs, Docker issues, and dependency risks.

Topics

Resources

License

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors