Security scanner · Open source

Find every
vulnerability
before they do.

RepoShield scans any Git repository for hardcoded secrets, vulnerable dependencies, OWASP Top 10 issues, and leaks buried in commit history — in minutes, with no configuration.

Get started View on GitHub
npx
one command install
30+
Secret patterns
8
Package ecosystems
0
API keys needed
reposhield — scan
No API key required to start

All four core scanners run entirely on your machine. Add an AI key later for GPT-4o / Claude / Gemini deep analysis — totally optional.

Local-only
No data sent
Free forever
AI optional
What gets scanned

Four scanners.
One command.

Each scanner targets a different attack surface. Together they cover the full OWASP Top 10 and more.

Free · Local

Secrets Detection

30+ compiled regex patterns catch hardcoded API keys, tokens, private keys, and passwords before they ship. Matches are redacted in output — only the first 4 chars are shown.

AWS keys GitHub tokens Stripe OpenAI / Anthropic JWT Private keys (PEM) DB passwords
Free · OSV

Dependency Scanning

Queries the open-source OSV vulnerability database for every package in your project. Maps CVSS scores to Critical/High/Medium/Low severity automatically.

npm / yarn pip / Poetry RubyGems Cargo Maven NuGet Composer Go modules
Free · Local

Static Code Analysis

Pattern-based detection across 8 languages. Covers the full OWASP Top 10 with 30+ rules including language-specific variants and false-positive suppression.

SQL injection XSS Command injection Path traversal SSRF XXE Insecure crypto Open redirect
Free · Local

Git History Scanner

Walks up to 200 commits to find secrets that were committed and later deleted. Even if the file is gone, the secret lives on in git objects — this scanner finds it.

All commits Deleted files Force-pushes safe CWE-312
Optional · API key

AI Deep Analysis

Sends your most security-relevant files to GPT-4o, Claude Opus, or Gemini 1.5 Pro for context-aware review. Catches logic bugs, IDOR, authorization flaws, and race conditions that patterns miss. Auto-selects the provider from your API key format — no config needed.

OpenAI GPT-4o Anthropic Claude Google Gemini Business logic flaws IDOR Auth bypasses
How it works

Three steps.
Full coverage.

No configuration files. No plugins. Paste a URL and scan.

01

Paste any repo URL

GitHub, GitLab, Bitbucket, or any public git URL. Private repos work too — just ensure the host is reachable. Local paths are also supported.

02

All scanners run locally

Secrets, dependencies, static analysis, and git history scanners run in parallel on your machine. Nothing is sent to any external server unless you add an AI key.

03

Get a full report

Findings ranked by severity. Each includes the file path, line number, code snippet, CWE ID, OWASP category, and a specific fix suggestion. Export as JSON for CI/CD.

Severity levels

Every finding, ranked.

Based on CVSS scoring and exploitability — not guesswork.

Level CVSS range Examples Action
CRITICAL 9.0 – 10.0 Hardcoded AWS key, RCE via command injection, exposed private key Fix immediately
HIGH 7.0 – 8.9 SQL injection, XSS, insecure deserialization, path traversal Fix before shipping
MEDIUM 4.0 – 6.9 Weak crypto (MD5/SHA1), missing security headers, open redirect Plan to fix
LOW 0.1 – 3.9 Debug mode on, verbose error messages, outdated minor versions Track and monitor
Get started

Up in under
60 seconds.

Run instantly with npx — no install needed. Or use Docker / manual setup.

npx
Docker
Manual
# Run instantly — no install needed
npx reposhield scan https://github.com/owner/repo

# With AI deep analysis (optional)
npx reposhield scan https://github.com/owner/repo --ai-key sk-...

# Start the web UI locally
npx reposhield start
# Clone and run
git clone https://github.com/ibrahimokdadov/reposhield.git
cd reposhield
docker-compose up

# Or use npx (no Docker needed):
npx reposhield start
# Backend (Python 3.9+)
cd backend
pip install -r requirements.txt
python -m uvicorn main:app --port 8000

# Frontend (Node 18+) — in a new terminal
cd frontend
npm install && npm run dev

# Open in browser
open http://localhost:5173