start here

Quickstart

Two ways to scan, both finish in about a minute. Start anonymous to try it on any public repo; sign in when you want history, diffs, suppressions that sync, and one-click fix PRs.

Option A — anonymous, no account

  1. Go to triagerook.com and paste a public repo — a full URL or just owner/repo.
  2. The scan runs against the public-scan endpoint and streams a prioritized report straight to your browser. Nothing is saved — no account, no persistence (see data handling).
  3. When it finishes, hit Export SARIF to download findings for GitHub Code Scanning if you want them.

Rate limits

Anonymous scans are capped at 10 per source IP per hour and 5 per repo per hour. Plenty for evaluating; sign in to scan on your own GitHub quota instead.

Option B — signed in

  1. Click Sign in and authorize the TriageRook SecurityGitHub App. It asks only for what it needs — details on the security page.
  2. Pick one of your public repos (or enter owner/repo) and scan. The result is saved to your history.
  3. From a saved scan you get: SARIF export, scan-to-scan diffs, suppressions that sync across scans, and — for findings with a clean deterministic fix — a one-click PR you review before merging.

Signed-in scans still only read public repositories; a private repo is refused at the boundary.

Option C — in CI (zero-auth, public repos)

For a public repo you can wire scanning into CI with no token at all — the anonymous endpoint speaks SARIF directly:

# .github/workflows/triagerook.yml
on:
  push: { branches: [main] }
permissions:
  contents: read
  security-events: write
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - run: |
          curl -fSL -X POST \
            "https://www.triagerook.com/api/scan-public/${{ github.repository_owner }}/${{ github.event.repository.name }}?format=sarif" \
            -o triagerook.sarif.json
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: triagerook.sarif.json
          category: triagerook

Full walkthrough, including the authenticated variant, on the SARIF export page.

Next: skim what each detector looks for, or read the FAQ.