Read-only · Public repos · No signup

Find the gaps in yourGitHub repobefore attackers do.

RepoSec runs a static, read-only scan against any public GitHub repository and returns a security score, a checks table, and a list of fixes. No installs, no agent, no auth.

Read-only. We never modify your repository.

What we check

Twelve static checks, all read-only.

Each check is a static, read-only rule. Every result is reproducible: re-run the scan and the output is identical.

How it works

Exposed .env detection

Finds committed .env, .env.local, and .env.production files with real values.

Hygiene file checks

Looks for README, LICENSE, SECURITY.md, .env.example, CHANGELOG, CONTRIBUTING, and CODEOWNERS so new contributors aren't lost.

.gitignore coverage

Verifies that .env, node_modules, and build output are properly ignored.

Secret pattern scan

Heuristically detects OpenAI, GitHub, AWS, Stripe, JWT, private keys, and database URLs. Always masked.

Dependabot and CI quality

Checks for .github/workflows, Dependabot config, that CI runs on pull_request, runs tests, and does not use permissions: write-all.

package.json scripts

Looks for test, lint, audit, and start scripts. Also flags a missing `engines` field and `repository` field.

Dockerfile hardening

Detects a missing USER directive, missing HEALTHCHECK, :latest base image, ADD with a URL, and EXPOSE 22.

Community health files

Checks for issue templates, a PR template, CODEOWNERS, a code of conduct, a changelog, and a contributing guide.

Repository metadata

Verifies a description, topics, license on GitHub, the archived flag, and a sensible default branch.

Code pattern heuristics

Flags use of eval(), new Function(), and dangerouslySetInnerHTML inside the source tree (skipping node_modules and build output).

Dependency hygiene

Detects a single lockfile, an `engines` field, and a `repository` field. Mixed lockfiles break deterministic installs.

Lockfile consistency

Warns when package-lock.json, yarn.lock, and pnpm-lock.yaml all live in the same repository.

How it works

Three steps, no installs.

RepoSec is a Next.js app that talks to the public GitHub API. No auth, no tokens, no agent, no signup.

Paste a public GitHub URL

Type or paste a github.com/owner/repo link. Private repos and bad URLs are caught early.

RepoSec fetches the file tree

We pull the public file tree and the files that matter, then run the rule-based scanner.

Get a clear report

A security score, per-category check results, severity-grouped findings, and copy-pasteable fixes.

Defensive by design

Built for developers, not auditors.

No black-box scoring, no upsells, no paid tiers. Get a markdown report, a JSON report, and a fix prompt for your coding agent in under a minute.

Static, read-only scanning
Always-masked secret evidence
Transparent checks table
JSON export for CI pipelines
Copy-paste fixes and templates
Works with public repos only

Scan a repo

Or paste a URL in the input above.

Scope

This is a defensive tool.

RepoSec reads public files only. It is meant to help you find gaps in your own repository, never to help you attack someone else's.

Find the gaps in yourGitHub repobefore attackers do.

RepoSec runs a static, read-only scan against any public GitHub repository and returns a security score, a checks table, and a list of fixes. No installs, no agent, no auth.

Read-only. We never modify your repository.

Built for developers, not auditors.

No black-box scoring, no upsells, no paid tiers. Get a markdown report, a JSON report, and a fix prompt for your coding agent in under a minute.

Static, read-only scanning

Always-masked secret evidence

Transparent checks table

JSON export for CI pipelines

Copy-paste fixes and templates

Works with public repos only