v0.9 · free · no card required

one-click github
security scan.

no install. no agent. no CI config.

Scan any public GitHub repo in one click - no login, no agent, no pipeline. TriageRook runs eleven detectors against exposed secrets, vulnerable dependencies, and IaC misconfigs - plus IAM risks no other zero-setup tool catches: OIDC trust misconfigurations, privilege-escalation paths, and admin-equivalent access.

scan a public repo now - no login

// no login required · 10 scans/h per IP · 5 scans/h per repo · public repos only

11detectors
235rules
SARIF 2.1code scanning export
<60sscan time
EUdata region
MITlicense
// example output

what a real scan looks like.

Findings come back grouped by severity, with a file path, line number, and a masked preview. No 800-page PDF. No upsell to enterprise.

triagerook — scan
$ triagerook scan vercel/next.js
┌─ summary ──────────────────────
│ risk score 92 / 100 excellent
│ files scanned 1,247
│ duration 47s
└─────────────────────────────────────
[CRIT]aws-access-key in commit history (3w ago)
[HIGH]next-public-secret-name CWE-200
[HIGH]cve-2024-21501 lodash@4.17.20
[HIGH]tls-verify-disabled CWE-295
[MED ]gha-pull-request-target-checkout-head
// 5 of 12 findings shown · ranked by risk score
// detectors

eleven detectors,
run in parallel.

Each scan runs every detector against your repo concurrently. No setup, no config files, no allowlist tuning — just sane defaults that flag what an attacker would actually find.

01
secret-scanner
60+ high-confidence patterns: AWS, GCP, Anthropic, OpenAI, Stripe, Slack, GitHub PATs, SSH keys, Supabase service-role JWTs.
regex
02
sensitive-files
Flags filenames that imply secrets regardless of content: .env.production, id_rsa, terraform.tfstate, kubeconfig, .npmrc.
filename only
03
entropy
Catches custom-format secrets in .env / config files via Shannon entropy on KEY=VALUE pairs. Skips placeholders automatically.
≥ 4.0 bits/char
04
git-history
Replays the last 30 commits looking for secrets that were deleted but never rotated. Dedups against the current tree.
30 commits
05
code-sast
AST-based via the TypeScript Compiler API plus targeted regex. 28 AST rules covering most of the OWASP Top 10 — SSRF, SQLi, command injection, reflected XSS, prototype pollution, ReDoS, NoSQL / SSTI injection, XXE, weak crypto, JWT misuse, hardcoded creds — plus AI-typical mistakes (TLS verify off, NEXT_PUBLIC_ secrets, bcrypt rounds < 10). Every rule CWE-tagged.
AST + regex · CWE-tagged
06
deps
npm package-lock.json against the npm advisories bulk API; PyPI/Go/RubyGems/Maven (pom.xml + Gradle)/Composer against OSV.dev; container OS-package CVEs ingested from a committed Trivy SARIF report.
npm + OSV.dev + Trivy
07
supply-chain
Typosquatting (Damerau-Levenshtein vs popular registries), install-hook abuse in package.json scripts and Python setup.py / pyproject.
npm + PyPI
08
ci-iac
Dockerfile (root user, :latest tags, ADD-from-URL, secrets in ENV) and GitHub Actions (pull_request_target checkouts, unpinned actions, write-all permissions).
CWE-tagged
09
posture
Repo posture graded A–F across 17 signals: branch protection, CODEOWNERS, signed commits, Dependabot/Renovate, secret scanning + push protection, least-privilege GITHUB_TOKEN, release provenance. Scored as a percentage of the signals we can actually assess.
A–F grade
10
iam-risk
IAM risk in policy-as-code (Terraform, CloudFormation, JSON, serverless): GitHub Actions OIDC trust weaknesses, privilege-escalation paths (PassRole, self-managing policies), and admin-equivalent grants. The slice of enterprise IAM tooling solo devs have never had.
OIDC · privesc · admin
11
license
Open-source license / compliance risk: strong copyleft (GPL/AGPL/SSPL), weak copyleft (LGPL/MPL/EPL/CDDL), and proprietary/UNLICENSED dependencies. npm reads the license field in package-lock.json (no network); PyPI/Go/RubyGems enrich via deps.dev, capped at 200 packages with graceful degradation.
deps.dev · SPDX

// more detectors added based on what users actually leak

// beyond detection

detect, then
actually fix it.

A finding you can't act on is just noise. Every scan ships with the rails to move from "here's what's wrong" to "here's the PR that fixes it" — or, when it's a false positive, to make it stop nagging you.

## sarif 2.1 export

Every saved scan is one click from a SARIF 2.1.0 export — drop it into github/codeql-action/upload-sarif and findings show up in your repo's Security → Code scanning tab next to CodeQL and Dependabot. Each rule deep-links back to its docs.

→ setup guide
## auto-fix prs

For findings with a clean fix (dependency bumps, secret extraction to process.env / os.environ), TriageRook opens a PR against your repo directly. Per-finding opt-in, isolated branch, preview before submit. You review before merging.

→ how it works
## suppressions

False positives happen. Suppress a single finding (by fingerprint), a rule on a path (by glob), or a whole rule for the repo — all from the findings view. User-scoped, synced via Supabase, survives across scans. .repoguardignore in your repo also honored.

// why triagerook

built for the dev who skips snyk.

## fast

Sign in with GitHub, pick a repo, get findings. No CLI, no pipeline, no config. Most scans finish in under a minute.

## private

We never store your source code. Only metadata, file paths, and masked previews. All in EU region. Open source — audit it.

## yours

No upsell to enterprise. No mandatory SSO. No usage gating. The scan you'd actually run.

// faq

asked & answered.

Do you store my source code?+

No. We fetch files from the GitHub API only during a scan and discard them immediately after. We persist findings (path, line, masked preview) — never the code itself.

What permissions does TriageRook need?+

Sign-in is via the TriageRook Security GitHub App and gives us read access to your public repositories. We do not read private code. The optional auto-fix PR feature requires you to install the App on the target repo — that grants Contents: write and Pull requests: write scoped to that single repo, used only to open a PR you then review.

Can I scan private repositories?+

Not yet. Sign-in today gives TriageRook read access to your public repositories only. Private-repo support is on the roadmap.

How is this different from GitHub secret scanning?+

GitHub's built-in scanning is free but limited to partner secret patterns. TriageRook adds 60+ curated regex patterns, an entropy fallback for custom formats, SAST rules, dependency CVEs across six ecosystems (+ container OS packages via Trivy), IaC checks for Dockerfile, GitHub Actions, Terraform, Kubernetes, CloudFormation and Helm, supply-chain heuristics (typosquatting, install-hook abuse, dependency confusion), a 30-commit history replay, a posture grade, and an IAM-risk lens built by a 10-year IAM specialist. One screen, severity-ranked.

Does it catch insecure code generated by Copilot / Cursor / Claude?+

Partly. The SAST detector flags patterns AI assistants commonly emit: TLS verification disabled (rejectUnauthorized: false / verify=False), session cookies with httpOnly: false, bcrypt rounds below 10, process.env fallbacks to a hardcoded secret-shaped literal, and NEXT_PUBLIC_*SECRET* env reads (which Next.js inlines into the client bundle). New rules added as patterns become visible.

Is TriageRook free?+

Yes, fully free. I'm still figuring out what people value enough to pay for — feedback is very welcome.

Where does my data live?+

All scan metadata is stored in Supabase, EU region. The app runs on Vercel. Both providers are SOC 2 compliant. See /security for details.

What if a finding is a false positive?+

Suppress it. From the findings view you can silence a single finding (by fingerprint), a rule on a path glob, or an entire rule for the repo. Suppressions are user-scoped, persisted in Supabase, and survive across scans — no need to commit a config file. If you prefer to version-control them, a .repoguardignore at the repo root is also honored.

Can I push TriageRook findings into GitHub Code Scanning?+

Yes. Every saved scan is one click from a SARIF 2.1.0 export — drop it into github/codeql-action/upload-sarif and the findings show up in your repo's Security → Code scanning tab next to CodeQL and Dependabot. Each result deep-links back to the matching rule documentation on TriageRook. Full setup at /docs/sarif.