one-click github
security scan.
no install. no agent. no CI config.
Scan any public GitHub repo in one click - no login, no agent, no pipeline. TriageRook runs eleven detectors against exposed secrets, vulnerable dependencies, and IaC misconfigs - plus IAM risks no other zero-setup tool catches: OIDC trust misconfigurations, privilege-escalation paths, and admin-equivalent access.
// no login required · 10 scans/h per IP · 5 scans/h per repo · public repos only
what a real scan looks like.
Findings come back grouped by severity, with a file path, line number, and a masked preview. No 800-page PDF. No upsell to enterprise.
eleven detectors,
run in parallel.
Each scan runs every detector against your repo concurrently. No setup, no config files, no allowlist tuning — just sane defaults that flag what an attacker would actually find.
// more detectors added based on what users actually leak
detect, then
actually fix it.
A finding you can't act on is just noise. Every scan ships with the rails to move from "here's what's wrong" to "here's the PR that fixes it" — or, when it's a false positive, to make it stop nagging you.
Every saved scan is one click from a SARIF 2.1.0 export — drop it into github/codeql-action/upload-sarif and findings show up in your repo's Security → Code scanning tab next to CodeQL and Dependabot. Each rule deep-links back to its docs.
→ setup guideFor findings with a clean fix (dependency bumps, secret extraction to process.env / os.environ), TriageRook opens a PR against your repo directly. Per-finding opt-in, isolated branch, preview before submit. You review before merging.
→ how it worksFalse positives happen. Suppress a single finding (by fingerprint), a rule on a path (by glob), or a whole rule for the repo — all from the findings view. User-scoped, synced via Supabase, survives across scans. .repoguardignore in your repo also honored.
built for the dev who skips snyk.
Sign in with GitHub, pick a repo, get findings. No CLI, no pipeline, no config. Most scans finish in under a minute.
We never store your source code. Only metadata, file paths, and masked previews. All in EU region. Open source — audit it.
No upsell to enterprise. No mandatory SSO. No usage gating. The scan you'd actually run.
asked & answered.
Do you store my source code?+
No. We fetch files from the GitHub API only during a scan and discard them immediately after. We persist findings (path, line, masked preview) — never the code itself.
What permissions does TriageRook need?+
Sign-in is via the TriageRook Security GitHub App and gives us read access to your public repositories. We do not read private code. The optional auto-fix PR feature requires you to install the App on the target repo — that grants Contents: write and Pull requests: write scoped to that single repo, used only to open a PR you then review.
Can I scan private repositories?+
Not yet. Sign-in today gives TriageRook read access to your public repositories only. Private-repo support is on the roadmap.
How is this different from GitHub secret scanning?+
GitHub's built-in scanning is free but limited to partner secret patterns. TriageRook adds 60+ curated regex patterns, an entropy fallback for custom formats, SAST rules, dependency CVEs across six ecosystems (+ container OS packages via Trivy), IaC checks for Dockerfile, GitHub Actions, Terraform, Kubernetes, CloudFormation and Helm, supply-chain heuristics (typosquatting, install-hook abuse, dependency confusion), a 30-commit history replay, a posture grade, and an IAM-risk lens built by a 10-year IAM specialist. One screen, severity-ranked.
Does it catch insecure code generated by Copilot / Cursor / Claude?+
Partly. The SAST detector flags patterns AI assistants commonly emit: TLS verification disabled (rejectUnauthorized: false / verify=False), session cookies with httpOnly: false, bcrypt rounds below 10, process.env fallbacks to a hardcoded secret-shaped literal, and NEXT_PUBLIC_*SECRET* env reads (which Next.js inlines into the client bundle). New rules added as patterns become visible.
Is TriageRook free?+
Yes, fully free. I'm still figuring out what people value enough to pay for — feedback is very welcome.
Where does my data live?+
All scan metadata is stored in Supabase, EU region. The app runs on Vercel. Both providers are SOC 2 compliant. See /security for details.
What if a finding is a false positive?+
Suppress it. From the findings view you can silence a single finding (by fingerprint), a rule on a path glob, or an entire rule for the repo. Suppressions are user-scoped, persisted in Supabase, and survive across scans — no need to commit a config file. If you prefer to version-control them, a .repoguardignore at the repo root is also honored.
Can I push TriageRook findings into GitHub Code Scanning?+
Yes. Every saved scan is one click from a SARIF 2.1.0 export — drop it into github/codeql-action/upload-sarif and the findings show up in your repo's Security → Code scanning tab next to CodeQL and Dependabot. Each result deep-links back to the matching rule documentation on TriageRook. Full setup at /docs/sarif.