start here
Quickstart
Two ways to scan, both finish in about a minute. Start anonymous to try it on any public repo; sign in when you want history, diffs, suppressions that sync, and one-click fix PRs.
Option A — anonymous, no account
- Go to triagerook.com and paste a public repo — a full URL or just
owner/repo. - The scan runs against the public-scan endpoint and streams a prioritized report straight to your browser. Nothing is saved — no account, no persistence (see data handling).
- When it finishes, hit
Export SARIFto download findings for GitHub Code Scanning if you want them.
Rate limits
Anonymous scans are capped at 10 per source IP per hour and 5 per repo per hour. Plenty for evaluating; sign in to scan on your own GitHub quota instead.
Option B — signed in
- Click
Sign inand authorize the TriageRook SecurityGitHub App. It asks only for what it needs — details on the security page. - Pick one of your public repos (or enter
owner/repo) and scan. The result is saved to your history. - From a saved scan you get: SARIF export, scan-to-scan diffs, suppressions that sync across scans, and — for findings with a clean deterministic fix — a one-click PR you review before merging.
Signed-in scans still only read public repositories; a private repo is refused at the boundary.
Option C — in CI (zero-auth, public repos)
For a public repo you can wire scanning into CI with no token at all — the anonymous endpoint speaks SARIF directly:
# .github/workflows/triagerook.yml
on:
push: { branches: [main] }
permissions:
contents: read
security-events: write
jobs:
scan:
runs-on: ubuntu-latest
steps:
- run: |
curl -fSL -X POST \
"https://www.triagerook.com/api/scan-public/${{ github.repository_owner }}/${{ github.event.repository.name }}?format=sarif" \
-o triagerook.sarif.json
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: triagerook.sarif.json
category: triagerookFull walkthrough, including the authenticated variant, on the SARIF export page.